security goals re strcpy/strcat/sprintf (Re: "Secure coding" audit checkers and Kerberos)
jaltman at secure-endpoints.com
Thu Oct 16 10:41:23 EDT 2008
Please consider that Windows does not support asprintf, strl*, and the
format strings for the *printf family differ from those on *nix.
Windows of course also supports Unicode (wchar_t) C strings.
To address Microsoft has developed the StrSafe library of functions for
the manipulation of char_t and wchar_t strings.
Quoting http://msdn.microsoft.com/en-us/library/ms647466.aspx :
"The advantages of the Strsafe functions include:
* The size of the destination buffer is always provided to the function
to ensure that the function does not write past the end of the
* Buffers are guaranteed to be null-terminated, even if the operation
truncates the intended result.
* All functions return an HRESULT, with only one possible success code
* Each function is available in a corresponding character count (cch)
or byte count (cb) version.
* Most functions have an extended ("Ex") version available for advanced
S_OK is 0. Examples of the extended functionality are output pointers
to the end of the string, an output size_t value indicating the number
of bytes/chars remaining in the buffer, and a input flags parameter
permitting various options:
If the function succeeds, the low byte of dwFlags (0) is used to fill
the uninitialized portion of pszDest following the terminating null
Treat null string pointers like empty strings (TEXT("")).
If the function fails, the low byte of dwFlags (0) is used to fill the
entire pszDest buffer, and the buffer is null-terminated. In the case of
a STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated string returned
If the function fails, pszDest is set to an empty string (TEXT("")). In
the case of a STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated
string is overwritten.
As in the case of STRSAFE_NULL_ON_FAILURE, if the function fails,
pszDest is set to an empty string (TEXT("")). In the case of a
STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated string is overwritten.
The interface is well thought out. MIT might consider implementing this
interface for *nix and relying on it throughout the code base. Or at
the very least implement the functions that are selected for Windows by
making use of this interface.
Just my two cents ....
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20081016/d1aef4d7/attachment.bin
More information about the krbdev