RE: safe strcpy()?

From: Michael Howard (mikehowat_private)
Date: Tue Jan 28 2003 - 16:40:07 PST

  • Next message: mlhat_private: "Re: safe strcpy()?"

    Seeing as everyone is piling in with their list of "safer" string
    handlging functions - We also released a header file, strsafe.h, which
    is being used internally...
    
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecur
    e/html/strsafe.asp
    
    Of course, the real way to build secure software is not to use "safe"
    functions, but to check data validity :-)
    
    
    Cheers, Michael
    Secure Windows Initiative
    Writing Secure Code 2nd Edition
    http://www.microsoft.com/mspress/books/5957.asp
    
    
    -----Original Message-----
    From: mlhat_private [mailto:mlhat_private] 
    Sent: Tuesday, January 28, 2003 3:38 PM
    To: Timo Sirainen
    Cc: Ed Carp; secprogat_private
    
    On Tue, Jan 28, 2003 at 08:37:37PM +0200, Timo Sirainen wrote:
    > 
    > I'd suggest not using C's string handling functions at all, they're 
    > way too annoying to be used safely (or at all, really). There's many 
    > libraries that make things easier for you, GLIB and libowfat comes to 
    > my mind at first. I've also put a stripped down version of my library 
    > available at http://irccrew.org/~cras/security/lib/
    
    Another library 'libslack' has a rich set of string functions:
    
    	http://libslack.org/manpages/str.3.html
    
    Matt
    



    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 17:03:05 PST