> > The same is true in the source code, unsafe > > practices are avoided globally, (e.g. both strcpy() > > and strncpy() are absent together with fixed size > > automatic buffers) rather than used with care > > locally. I won't bore you with all the > > implementation safety "habits", but there are many.
David Wagner wrote: > It's too bad that today such elementary practices are > something to brag about. Perhaps one day we'll be > lucky enough that the answer to these questions > becomes more like "of course we use safe programming > practices; what kind of incompetent amateurs do you > take us for?". Dynamic strings tempt people to forget about enforcing length limits and forget about correctly handling the case when the length limits are exceeded. There is no such thing as a string with no maximum length, merely strings of UNKNOWN maximum length. If one has dynamic buffers and fully dynamic strings, it is always possible for an attacker to discover the previously UNKNOWN maximum length, and exceed it, causing the program to fail in a manner likely to be useful to the attacker. In any program subject to attack, all strings should have known, documented, and enforced maximum length, a length large enough for all likely legitimate uses, and no larger. If enforcing length limits, it is frequently advisable, and often necessary, to use, not strcpy or strncpy, but routines such as _mbscpy_s, string manipulation routines which can, and frequently do, employ buffers of fixed and known length, sometimes pre-allocated fixed length. In C++, incomprehensibly obscure functions such as _mbscpy_s should never be called directly, but rather called through a template library that automatically does the sensible thing when the destination parameter is a fixed length buffer, and can be relied upon to object when commanded to do the stupid thing. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]