ansaurus

Question

Secure C and the universities - trained for buffer overflow

Answer 1

A:

Actually, Microsoft did provide secure alternatives to the CRT functions. Everybody I know hates them though and disables the warning that you shouldn't use the old functions. If you want something secure, maybe you should use C++. And then either STL strings or something like Qt.

Well, or you go to platforms like .NET or Java, which usually doesn't suffer from these problems (your app might crash, but no way to inject code into your app through a buffer overflow).

Edit: With Data Execution Prevention / NX enabled (default for Vista and .NET), this shouldn't be a problem for traditional platforms as well.

OregonGhost 2009-01-27 11:19:32

Using C++ does not magically stop all buffer overflows and the problems they cause.

Thomas Owens 2009-01-27 11:23:40

Having strdup avaialble doesn't stop buffer overflows either, when people continue to use malloc/strcpy with fixed lengths. C++ offers, but does not enforce alternatives. Code reviews - which you need anyway - can enforce the use of those alternatives.

MSalters 2009-01-27 12:17:46

@Thomas: I meant what MSalters wrote. C++ offers many secure alternatives to the plain old CRT functions, and that alone is in my opinion a reason to switch.

OregonGhost 2009-01-28 16:16:12

-1 for saying DEP/NX remove the problem... they don't.

Longpoke 2010-01-21 19:12:16

@Longpoke: I meant to say that DEP/NX protects you from code injection via buffer overflow, just like managed platforms do anyway. I did not say that DEP/NX prevent buffer overflows in general.

OregonGhost 2010-01-22 11:26:05

DEP/NX are mitigation at best. They have been bypassed before, and even when you can't bypass them, there are other things you can do like setting up a call to an arbitrary function on the stack.

Longpoke 2010-01-22 16:07:05

Answer 2

+10 A:

The Posix function for this (available on nearly every system) is strdup(). strcpy() is used if you don't want to allocate new memory and already have a buffer you want to use, but then you better known how big that buffer is and if the string fits in it. If you don't know if the string fits, there is strncpy() that just copies a given number of characters. So you can limit the copied amount to your buffers size.

And besides of that, there are lots of sting libraries that manage string sizes in different ways.

And since you tagged it C++: There is std::string that does all the memory management for you and doesn't give you these problems.

sth 2009-01-27 11:25:55

Answer 3

+3 A:

Use strncpy:

#define BUFSIZE 127
int main(int argc, char *argv[]) {
  /* ... */
  char prog_name[BUFSIZE + 1];
  strncpy(prog_name, argv[0], BUFSIZE);
  progname[BUFSIZE]= '\0';
  /* ... */
}

There are *n* versions for most str* functions.

David Schmitt 2009-01-27 11:27:24

I hope I got all my "-1" right, my C was never very fluent.

David Schmitt 2009-01-27 11:28:35

Better use BUFSIZE as the length and allocate BUFSiZE + 1 ;-).

Gamecat 2009-01-27 12:25:56

good idea. done.

David Schmitt 2009-01-27 13:29:44

Answer 4

+1 A:

the l (strlcpy, strlcat) functions from OpenBSD are usually better than the n functions, they are both faster and easier to use securely, but they are nonstandard. However, they are BSD licensed so you can include a known good implementation in any program so you can be both cross platform and secure.

For Windows, if you don't care about portability, you can use *_s functions.

jbcreix 2009-01-27 13:27:22

Better than the *n functions* how?

ceretullis 2009-01-28 01:17:35

As described here: http://www.gratisoft.us/todd/papers/strlcpy.htmlThere is still a lot of work to use the 'n functions' effectively.

benno 2009-01-28 01:51:34

Answer 5

A:

int main
(
    int argc, 
    char *argV[]
) 
{
   char prog_name[128];
   if (strlen(argV[0]) < sizeof(prog_name))
   {
       strcpy(prog_name, argV[0]);
   }
   else
   {
       printf("%s is too large for the internal buffer\n", argV[0]);
   }

   return 0;
}

EvilTeach 2009-01-27 15:09:45

Pet peeve: ditch the parens, sizeof is an operator and not a function. Parens are used for types, and are part of the argument to sizeof, which is "cast-like" in appearance.

unwind 2009-01-27 15:19:20

Thank you for your thoughful comment.

EvilTeach 2009-01-27 21:38:33

Answer 6

A:

Thanks for these helpful answers. ;)

wishi 2009-01-27 16:20:58

FYI standard SO procedure if you want to say thanks is to edit your question, not to add another answer. As you can see, some will downvote you for this (it wasn't me).

Graeme Perrow 2009-01-29 00:07:47

Answer 7

A:

Maybe you would find useful reading answers to this question

kliketa 2009-01-28 23:45:54

Answer 8

+1 A:

If I understand correctly, your real question is why the API functions are not made more secure.

One reason reason is that C library is legacy (too late to change it now).

The main reason, however, is that the library is designed to be minimalistic, so that it does the bare minimum and it is the user's responsibility to ensure that it is called correctly. If it was doing any excessive checks, then a price would be paid every time it is called, even if the user can assure for other reasons that no problem is going to occur. This is very very common in many APIs.

That being said, there are enough libraries that provide safer alternatives, they're just not part of the standard library. Also, many people who do higher level stuff work with C++, that has standard class libraries for many of those things.

Uri 2009-01-29 00:02:09

ansaurus

tags:

views:

answers:

Secure C and the universities - trained for buffer overflow

related questions