Loading ...
Sorry, an error occurred while loading the content.

Re: [hackers-il] origins of strncpy

Expand Messages
  • Elad Efrat
    ... more parentheses - more clarity - less confusion. it s easier to write and audit code when you can clearly see what it does. it s style that should be
    Message 1 of 46 , Jan 12, 2005
    • 0 Attachment
      > Down to business. Why keep the parantheses? Please feel free to give
      > either stylistic or security-oriented arguments.

      more parentheses -> more clarity -> less confusion.
      it's easier to write and audit code when you can
      clearly see what it does. it's style that should be
      kept throughout the code; not sizeof-specific, but
      consistency is also important. :)

      > A nice idea when you are starting a project from scratch. I dislike
      > introducing non-standard (as strlcpy()/strlcat() regrettably are)
      > functions to an existing project due to their non-self-descriptiveness
      > as compared to use of known functions.

      you dislike, but you do what's best for the users. the
      developers can live with a "i just added strlcpy and
      strlcat, man-page is at [url], use them". users don't
      trust software with a bad security history... (imho)

      > Allow me to tap into your fullofitness, then. Perhaps your Google is
      > not my Google, but if you're aware of an snprintf()-avoiding
      > technique, I'd like to hear about it. The only one I'm aware of
      > involves I/O.

      i meant "search for [quote] no snprintf [unquote] on
      google for the solutions other people used in such a
      situation, as you're obviously not the first, and win32
      is definately not an obscure OS as some exotic others.

      > I thought MSDN search for "snprintf" would give me at least a parallel
      > answer. I should not have been so optimistic.

      yeah, i'm aware of how poor MSDN is. however,
      the above-described google search plus the word
      win32 will give you some enlightening results.

      ...and i hear microsoft has a new book about secure
      programming? did you try it?
    • omer mussaev
      ... Since when Guy Keren is microsoft? A link to MSDN was only to illustrate how UCS2 can be character as well. ===== -- o.m.
      Message 46 of 46 , Jan 19, 2005
      • 0 Attachment
        --- Elad Efrat <elad@...> wrote:

        >
        > > > In light of the above, Guy's advice sounds
        > pretty
        > > > reasonable, modulo s/char/TCHAR/g.
        > >
        > > No no... That's the whole point... sizeof should
        > refer to the
        > > _variable_, not to the _type_. I said that if
        > wchar use is an
        > > option, then it even makes sense to sizeof a
        > character array item.
        > > But _types_ should not be sizeof'd this way,
        > because the result is
        > > no better than well-documented constants.
        >
        > i thought we already agreed on this. are we not
        > taking
        > programming advices from microsoft? :)

        Since when Guy Keren is microsoft? A link to MSDN
        was only to illustrate how UCS2 can be character
        as well.


        =====
        --
        o.m.



        __________________________________
        Do you Yahoo!?
        Yahoo! Mail - Find what you need with new enhanced search.
        http://info.mail.yahoo.com/mail_250
      Your message has been successfully submitted and would be delivered to recipients shortly.