The point I'm making is people seem to think they can write crap code, then bindly replace the calls to strcpy with strncpy and all of a sudden their code is safe. It's not! You MUST validate the untrusted data. Oh, and while you're at it - use 'safer' functions and compile with a stack-smashing detection capability such as VC++'s -GS or Crispin's StackGuard. Then run tools over the code that model data flow through the app - just in case you missed something... A finally, have someone that understands this stuff review your code - just in case you missed something... Just a small data item: whenever I ask a bunch of developers whether you should accommodate for the trailing '\0' when determining the buffer size in a call to strncpy or strncat, 50% say YES, and 50% say NO... That means 50% are WRONG!! That's how buffer overruns occur... A stupid developer using 'safe' functions will produce stupid code!! There's no replacement for education, discpline and skill I'm afraid. Cheers, Michael Secure Windows Initiative Writing Secure Code 2nd Edition http://www.microsoft.com/mspress/books/5957.asp -----Original Message----- From: Hall, Philip [mailto:phallat_private] Sent: Tuesday, January 28, 2003 8:01 PM To: secprogat_private > Of course, the real way to build secure software is not to use "safe" > functions, but to check data validity :-) Hang on, that sounds akin to not having locks (safe functions) on your front door, but posting a guard (data validation) at the end of your drive way...hmmmmm I think I'll stick to my eXtreme Defensive Programming (XDP) and be paranoid about everything...unless you meant that by *adding* the data validity to the 'safe' functions to beef them up...? --phil
This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 13:27:43 PST