buffer overflow and snprintf/strlcpy

Claus Assmann ca+gnupg-devel at esmtp.org
Tue Nov 28 17:21:58 CET 2006


On Tue, Nov 28, 2006, Werner Koch wrote:
> On Mon, 27 Nov 2006 19:46, ca+gnupg at esmtp.org said:

> > Wouldn't it be more secure to replace sprintf with snprintf
> > (and the proper length restriction of course)?

> Actually I did this in the 2.0 SVN.  However by the time I wrote that

> > (same for strcpy() -> strlcpy(), strcat() -> strlcat(), etc).

> No.  I consider the OpenSBD approach flawed.  Simply cutting off
> strings helps agains buffer overflows but there are other problems:

I probably misunderstand you, but snprintf() and strlcpy() behave
the same in that matter, don't they?

strlcpy(dst, src, size);
is basically the same as
snprintf(dst, size, "%s", src);

and in both cases you check the return value to see whether
the "dst" string was large enough to hold the "src" string.

Auditing the code is fine, but humans have the tendency to make
mistakes :-(

If you are sure that the "dst" string is large enough for a strcpy()
function than you may as well use an assertion after a strlcpy()
to let the code check that you were right.



More information about the Gnupg-devel mailing list