On Fri, 24 Jan 2003 Valdis.Kletnieksat_private wrote: > On Fri, 24 Jan 2003 03:42:44 GMT, Glynn Clements <glynn.clementsat_private> said: > > > > What will happen if the string is too long? What if it contains > > "unusual" characters? What if the integer is negative, or zero? > > What if the string length is negative? (and yes, I've seen a C > strlen() return a negative value, when another thread trashed the > stack and corrupted the return value). You take a loaded gun and kill any person responsible for the code of the other thread? <evil grin> Strictly speaking, a test for strlen() < 0 does not improve security because strlen() < 0 cannot happen without the help of (at least) one of the "trusted insiders"--the hardware, the OS kernel, the system libraries, the compiler...or any other thread running the same address space (or at least having access to the vital parts of my thread's address space). (*) Of course, such a check might make penetration difficult or even impossible in certain cases but it is unable to *enforce* anything because a malevolent thread running in the same address space (or any other trusted part of the system) can circumvent it easily. (*) The situation when the result appears to be negative because it is too large to fit into the positive part of a signed type used for strlen() return value should be considered a bug in strlen()--it should either use a type able to represent the length of *any* possible string, or abort when it cannot return a meaningful result (a dead program is better that a misbehaving program). --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
This archive was generated by hypermail 2b30 : Sat Jan 25 2003 - 20:52:47 PST