Date: Mon, 29 Nov 2004 14:17:07 -0800 From: Brooks Davis <brooks@one-eyed-alien.net> To: Charles Swiger <cswiger@mac.com> Cc: ipfw@freebsd.org Subject: Re: strncmp usage in ipfw Message-ID: <20041129221707.GA2571@odin.ac.hmc.edu> In-Reply-To: <E9480AE5-4244-11D9-9087-003065ABFD92@mac.com> References: <20041129192514.GA7331@odin.ac.hmc.edu> <E9480AE5-4244-11D9-9087-003065ABFD92@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--UlVJffcvxoiEqYs2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 29, 2004 at 03:26:12PM -0500, Charles Swiger wrote: > On Nov 29, 2004, at 2:25 PM, Brooks Davis wrote: > >char *var; > >if (!strncmp(var, "str", strlen(var))) > > ... > >[ ... ] > >Was use of this idiom deliberate or accidental? >=20 > I can't speak for the author, but using the "n"-for-length variant of=20 > the string and printf() family of functions is considered an important=20 > saftey practice, especially for network/firewall/IDS software which may= =20 > be exposed to externally generated data which contains deliberately=20 > malicious string lengths. That's true for string creation functions, but not for strncmp The only valid use of strncmp is to do comparisons between strings where one string is known to not be NUL-terminated or to look for a sub-string. It is not a safety function. > This brings me back to your point with regard to partial matches; it=20 > might be the case that the IPFW code could use char arrays and=20 > sizeof(var) rather than char *'s and strlen(var) for some cases? The=20 > former approach would not only address your concerns, Brooks, but also=20 > be faster. Otherwise, I suspect that: >=20 > char *var; > if (!strncmp(var, "str", strlen(var))) > ... >=20 > ...should become: >=20 > #define STR "str" > char *var; > if (!strncmp(var, STR, sizeof(STR))) > ... This is exactly equivalent in functionality to: char *var; if (!strcmp(var, "str")) ... We know that "str" is NUL-terminated because the C standard says it is so we will stop at or before the sizeof("str")th character. In either case we are not protected from the possibility that var contains a bogus string if the bogosity occurs before we get to the end of "str". In fact, there's no way to be sure of that except creating the string correctly in the first place! -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --UlVJffcvxoiEqYs2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFBq5/iXY6L6fI4GtQRAiC6AKCkR4REbX9HG+Cori0z2rjMLqMvzACfc8b6 MwUsxCXthWLuoam/GOQ7ZgQ= =CtBz -----END PGP SIGNATURE----- --UlVJffcvxoiEqYs2--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041129221707.GA2571>