No need for AV tools on Linux, eh?
Rick Stevens
ricks at nerd.com
Mon Feb 14 21:54:38 UTC 2011
On 02/14/2011 11:23 AM, Joe Zeff wrote:
> On 02/14/2011 10:03 AM, James Mckenzie wrote:
>> I've found very obvious buffer overflow conditions and failures to enforce changes of variable types in publically available code bases.
>
> It's been years since I did any C programming, and my memory of it is
> dusty (as Ziva David once phrased it) but I do remember that there are
> two, very similar functions for copying strings. One copies as many
> bytes as you give it, the other copies only as many as you specify if
> there are "too many" given. Just using the second instead of the first
> would prevent most of the easier buffer overflow exploits, if not all.
> By now, I'd think that would be automatic, but then, I'm not a
> programmer any more.
You're talking about "strcpy()" (copy until you see the NULL) and
"strncpy()" (copy until you see the NULL, but no more than N bytes).
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- If you're not part of the solution, you're part of the precipitate -
----------------------------------------------------------------------
More information about the users
mailing list