security goals re strcpy/strcat/sprintf (Re: "Secure coding" audit checkers and Kerberos)

Jeffrey Altman jaltman at secure-endpoints.com
Thu Oct 16 10:41:23 EDT 2008 

Please consider that Windows does not support asprintf, strl*, and the
format strings for the *printf family differ from those on *nix.
Windows of course also supports Unicode (wchar_t) C strings.

To address Microsoft has developed the StrSafe library of functions for
the manipulation of char_t and wchar_t strings.

Quoting http://msdn.microsoft.com/en-us/library/ms647466.aspx :

"The advantages of the Strsafe functions include:

 * The size of the destination buffer is always provided to the function
   to ensure that the function does not write past the end of the
   buffer.

 * Buffers are guaranteed to be null-terminated, even if the operation
   truncates the intended result.

 * All functions return an HRESULT, with only one possible success code
   (S_OK).

 * Each function is available in a corresponding character count (cch)
   or byte count (cb) version.

 * Most functions have an extended ("Ex") version available for advanced
   functionality."

S_OK is 0.  Examples of the extended functionality are output pointers
to the end of the string, an output size_t value indicating the number
of bytes/chars remaining in the buffer, and a input flags parameter
permitting various options:

STRSAFE_FILL_BEHIND_NULL
If the function succeeds, the low byte of dwFlags (0) is used to fill
the uninitialized portion of pszDest following the terminating null
character.

STRSAFE_IGNORE_NULLS
Treat null string pointers like empty strings (TEXT("")).

STRSAFE_FILL_ON_FAILURE
If the function fails, the low byte of dwFlags (0) is used to fill the
entire pszDest buffer, and the buffer is null-terminated. In the case of
a STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated string returned
is overwritten.

STRSAFE_NULL_ON_FAILURE
If the function fails, pszDest is set to an empty string (TEXT("")). In
the case of a STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated
string is overwritten.

STRSAFE_NO_TRUNCATION
As in the case of STRSAFE_NULL_ON_FAILURE, if the function fails,
pszDest is set to an empty string (TEXT("")). In the case of a
STRSAFE_E_INSUFFICIENT_BUFFER failure, any truncated string is overwritten.

The interface is well thought out.  MIT might consider implementing this
interface for *nix and relying on it throughout the code base.  Or at
the very least implement the functions that are selected for Windows by
making use of this interface.

Just my two cents ....

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20081016/d1aef4d7/attachment.bin

More information about the krbdev mailing list