Re: Standards for developing secure software

From: Pavel Kankovsky (peakat_private)
Date: Mon Jan 27 2003 - 02:17:05 PST

  • Next message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"

    On Sun, 26 Jan 2003, George Dinwiddie wrote:
    
    > Pavel Kankovsky wrote:
    > > (*) The situation when the result appears to be negative because it
    > > is too large to fit into the positive part of a signed type used for
    > > strlen() return value should be considered a bug in strlen()--it
    > > should either use a type able to represent the length of *any*
    > > possible string, or abort when it cannot return a meaningful result
    > > (a dead program is better that a misbehaving program).
    > 
    > I think you meant "The situation when the result appears to be negative
    > because it is too large to fit into the positive part of a signed type
    > used for strlen() return value should *NOT* be considered a bug in strlen()"
    
    I meant this: if strlen() is declared to return type T while T is unable
    to correctly represent the length of any possible zero-terminated string
    that can appear in the program's address space, then strlen() is buggy
    (less buggy, if it aborts rather than returning an incorrect value).
    
    Of course, when the program does something like "U x = strlen(s)" such
    that type U (e.g. popular int) cannot represent all possible return values
    of strlen() then the program using strlen() is buggy because strlen()
    returns (or is assumed to return) a correct value but the assignment done
    by the program corrupts it.
    
    --Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
    "Resistance is futile. Open your source code and prepare for assimilation."
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 11:30:27 PST