Mailing List Archive: Is this a potential buffer overrun?

The input buffers should have made sure that they are \0 terminated.
So buffer[.strlen(buffer) == 0 is always true.
All derratives from that buffer (parsed entry's for example) are all \0
terminated in the code, so they should be a problem in the code.

But in fact you are right. We're trusting and working with variables we
should trust in that manner.

Best regards,

Eelco

On maandag, apr 14, 2003, at 22:53 Europe/Amsterdam, Aaron Stone wrote:

> Hey, so grep -A1 memtst * in dbmail, and you'll find lots of these:
>
> memtst((dest = (char *)my_malloc(strlen(value)+1))==NULL);
> strncpy(dest,value,strlen(value)+1);
>
> Doesn't this cause dest not to be null terminated? The extra space is
> allocated specifically for null, so the second line should be:
>
> strncpy(dest,value,strlen(value));
>
> and for extra paranoia:
>
> dest[strlen(value)+1] = '\0';
>
> Otherwise, you're relying on value to already be null terminated,
> which it
> should be... but who really knows?
>
> Aaron
>
> _______________________________________________
> Dbmail-dev mailing list
> Dbmail-dev@dbmail.org
> http://twister.fastxs.net/mailman/listinfo/dbmail-dev
>
_________________________
E.J.A. van Beek
ICT Manager
IC&S
T: +31 30 2322878
F: +31 30 2322305

PGP-key:
www.ic-s.nl/keys/eelco.txt