-----Original Message----- From: wine-devel-admin@winehq.com [mailto:wine-devel-admin@winehq.com]On Behalf Of Alexandre Julliard Sent: Monday, December 02, 2002 9:03 AM To: Shachar Shemesh Cc: David Laight; David Fraser; Shachar Shemesh; Francois Gouget; wine-devel@winehq.com Subject: Re: strcat+strcat+strcat == baaad
Shachar Shemesh winehebhaim@sun.consumer.org.il writes:
I suggest implementing strlcat and strlcpy, as in OpenBSD.
I can write
them, but I'm not sure where to place them. They should either be inlined (as in - implemented in an include file as a static
func), or
in some library that will be linked (statically, I hope). Ideas?
We don't need that, there are Windows API functions like lstrcpyn that can be used for that. And in any case the right approach to writing correct and secure code is not to truncate every string in sight to some fixed buffer size; it's to make sure you allocate buffers of the right size, and then you can use standard strcpy/strcat/sprintf/etc. without worrying about lengths.
I think this statement has to be tightened. I am sure you know exactly what you mean, Alexandre, and I believe that I and many others do. However I think we need to mention that one needs to consider that the strings passed in may be bad, e.g. unterminated. Either one uses that actual measured lengths of the strings when allocating or one checks the lengths of the strings against the allocated space. In particular one DOES NOT allocate on the basis of some wishy-washy documentation statement or a hard-coded constant that the caller may well have ignored.
-- Alexandre Julliard julliard@winehq.com
Bill Medland
And in any case the right approach to writing correct and secure code is not to truncate every string in sight to some fixed buffer size; it's to make sure you allocate buffers of the right size, and then you can use standard strcpy/strcat/sprintf/etc. without worrying about lengths.
Yes, you can use a small (on stack) buffer for the 'usual' case and only allocate a large one in the unusual ones. (but don't use alloca()...)
I think this statement has to be tightened. I am sure you know exactly what you mean, Alexandre, and I believe that I and many others do. However I think we need to mention that one needs to consider that the strings passed in may be bad, e.g. unterminated. Either one uses that actual measured lengths of the strings when allocating or one checks the lengths of the strings against the allocated space.
Yes, but even then strcpy may not be safe! Another thread could change the length after you've counted it.
In particular one DOES NOT allocate on the basis of some wishy-washy documentation statement or a hard-coded constant that the caller may well have ignored.
Absolutely!
David
David Laight david@l8s.co.uk writes:
Yes, but even then strcpy may not be safe! Another thread could change the length after you've counted it.
Please, this is silly. If another thread is changing the string, all string functions will break, strlcpy is not magically "safer" than strcpy.
-
Alexandre Julliard -
David Laight -
Medland, Bill