Ed Carp wrote: >start looking for a way to figure out how to determine how >much space was allocated to a string. I was rather surprised to find that >I couldn't find such an animal! Am I missing something here? > >Consider the simple case of: > >my_strcpy (char *to, char *from) >{ >while(*from) >{ >*to = *from; >to++; >from++; >} >return (from); >} > >The problem arises if the memory allocation for from exceeds that for to. > No, there is no way for the string copy function itself to determine the size of the destination buffer. All such computation has to be done at the call site, not in the copy function. This is an inherent safety limitation of the C language. There are two compiler enhancements for GCC that provide full bounds checking on arrays (Bounded Pointers <http://gcc.gnu.org/projects/bp/main.html>, and the other nameless project by Jones&Kelly <http://www.doc.ic.ac.uk/%7Ephjk/BoundsChecking.html>, and ten Bruggee <http://web.inter.nl.net/hcc/Haj.Ten.Brugge/>). However, IIRC, both of these enhancements just cause the program to die if the buffer overflows. The other response would be to just ignore writes to arrays beyond the bounds of the array, which is very likely to cause "surprising" incorrect behavior. More generally, you can read my survey of buffer overflow attacks and defenses here: "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. DARPA Information Survivability Conference and Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head Island SC, January 2000. Also presented as an invited talk at SANS 2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March 2000. PDF <http://wirex.com/%7Ecrispin/discex00.pdf>. It's now a little dated, in that PAX <http://pageexec.virtualave.net/>, libsafe <http://www.research.avayalabs.com/project/libsafe/>, and StackGhost <http://stackghost.cerias.purdue.edu/> came out since I wrote that paper. A more recent and comprehensive survey of open source security will appear shortly in the new IEEE Security&Privacy Magazine <http://www.computer.org/security/>. Oh yeah, and there's StackGuard <http://immunix.org/stackguard.html> :-) Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet"
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 00:07:45 PST