Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5470BE2B.5090704@gathman.org>
Date: Sat, 22 Nov 2014 11:47:39 -0500
From: Stuart Gathman <stuart@...hman.org>
To: oss-security@...ts.openwall.com
Subject: Re: Off-by-one question

On 11/22/2014 01:28 AM, Joshua Roers wrote:
>
>> char buf[4];
>> strncpy(buf, "Four", sizeof(buf));
>> buf[sizeof(buf)-1] = '\0';
>> printf("%s\n", buf);
> Since
>> strncpy(buf, "Four", sizeof(buf));
> is not
>> strncpy(buf, "Four", sizeof(buf)-1);
> will strncpy write beyond the memory of 'buf', and set it to NUL?
>
>
> >From my understanding from
> http://cwe.mitre.org/data/definitions/193.html, it would.
> ".. creating a buffer overflow that may cause a memory address to be
> overwritten .."
>
>
> But actually RTFM, strncpy will not write, even the NUL, past the size.
>
> So it looks like I'm either reading mitre wrong, or it may be outdated.
>
>
> Any opinions on this?
The snippet will print Fou.  The contract for strncpy is:

        The strncpy() function is similar, except that at most n bytes  
of  src
        are  copied.  Warning: If there is no null byte among the first 
n bytes
        of src, the string placed in dest will not be null terminated.

So you are correct.  Unless strncpy is broken.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.