strcat+strcat+strcat == baaad
david at l8s.co.uk
Mon Dec 2 11:45:18 CST 2002
> > And in any case the right approach to writing
> > correct and secure code is not to truncate every string in sight to
> > some fixed buffer size; it's to make sure you allocate buffers of the
> > right size, and then you can use standard strcpy/strcat/sprintf/etc.
> > without worrying about lengths.
Yes, you can use a small (on stack) buffer for the 'usual' case
and only allocate a large one in the unusual ones.
(but don't use alloca()...)
> I think this statement has to be tightened. I am sure you know exactly what
> you mean, Alexandre, and I believe that I and many others do. However I
> think we need to mention that one needs to consider that the strings passed
> in may be bad, e.g. unterminated. Either one uses that actual measured
> lengths of the strings when allocating or one checks the lengths of the
> strings against the allocated space.
Yes, but even then strcpy may not be safe! Another thread could change
the length after you've counted it.
> In particular one DOES NOT allocate on
> the basis of some wishy-washy documentation statement or a hard-coded
> constant that the caller may well have ignored.
David Laight: david at l8s.co.uk
More information about the wine-devel