[sr #107522] Use of dangerous/banned functions
Jeffrey Walton
INVALID.NOREPLY at gnu.org
Wed Nov 17 00:30:14 CET 2010
URL:
<http://savannah.gnu.org/support/?107522>
Summary: Use of dangerous/banned functions
Project: GnuTLS
Submitted by: noloader
Submitted on: Tue 16 Nov 2010 11:30:10 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
GnuTLS uses unsafe string handling functions. From Apples Security Guide,
Table 1 (p. 35):
Table 1: String functions to use and avoid
Don't use these functions - Use these instead
--------------------------+--------------------------
strcat | strlcat
strcpy | strlcpy
strncat | strlcat
strncpy | strlcpy
sprintf | snprintf
vsprintf | vsnprint
The same theme rings true in the Microsoft world. For example, see Howard and
LeBlanc's Writing Secure Code. Use of safe string handling functions is a
secure code quality gate. Microsoft software which uses dangerous and banned
functions will not pass internal quality checks.
== References ==
Apple Inc., "Secure Coding Guide: Security", String Handling, p.35.
Wheeler, "Secure Programming for Linux and Unix HOWTO", Section 6.1 Dangers
in C/C++, p 61.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107522>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
More information about the Gnutls-devel
mailing list