The ups and downs of strlcpy()
The ups and downs of strlcpy()
Posted Jul 20, 2012 17:51 UTC (Fri) by jimparis (guest, #38647)In reply to: The ups and downs of strlcpy() by bronson
Parent article: The ups and downs of strlcpy()
> Yes, obviously yes. You are now outside the parameters of the program as written and the only 100% safe thing to do is just stop.
It's not obvious, and it's not always true. Security is hard and there's not always one single answer.
If my code is trying to concatenate "/etc/passwd" and ".bak", then yes, it is likely better to stop executing rather than fail to append the suffix.
But if my code is a web server reading someone's preferred subtitle from a form, it's likely better to truncate "Jimparis the magnificent" to just "Jimparis the magni" if it can't fit in my buffer -- the rest of the code will behave no differently than if the user had just typed the truncated version in the first place, while bringing down a whole server process can easily turn into a DoS.
Posted Jul 20, 2012 18:29 UTC (Fri)
by quotemstr (subscriber, #45331)
[Link]
If you want that behavior, you can ask for it. If the programmer doesn't specify, the safer thing to do is abort. You'll notice an abort and fix it fast. You might not notice a truncation vulnerability until it's too late.
Posted Jul 20, 2012 20:31 UTC (Fri)
by bronson (subscriber, #4806)
[Link] (2 responses)
So what's the only safe thing for libc to do when it notices that initial conditions are invalid?
Posted Jul 21, 2012 4:19 UTC (Sat)
by cmccabe (guest, #60281)
[Link] (1 responses)
We all make copy and paste errors and all other things being equal, long, hard to inspect C code is less secure than short and clear code.
Posted Jul 25, 2012 2:00 UTC (Wed)
by bronson (subscriber, #4806)
[Link]
I agree with the rest of your comment.
The ups and downs of strlcpy()
The ups and downs of strlcpy()
The ups and downs of strlcpy()
The ups and downs of strlcpy()