[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[sr #107522] Use of dangerous/banned functions
From: |
Jeffrey Walton |
Subject: |
[sr #107522] Use of dangerous/banned functions |
Date: |
Tue, 16 Nov 2010 23:30:14 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.12) Gecko/20101027 Ubuntu/10.04 (lucid) Firefox/3.6.12 |
URL:
<http://savannah.gnu.org/support/?107522>
Summary: Use of dangerous/banned functions
Project: GnuTLS
Submitted by: noloader
Submitted on: Tue 16 Nov 2010 11:30:10 PM GMT
Category: None
Priority: 5 - Normal
Severity: 3 - Normal
Status: None
Privacy: Public
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Operating System: None
_______________________________________________________
Details:
GnuTLS uses unsafe string handling functions. From Apples Security Guide,
Table 1 (p. 35):
Table 1: String functions to use and avoid
Don't use these functions - Use these instead
--------------------------+--------------------------
strcat | strlcat
strcpy | strlcpy
strncat | strlcat
strncpy | strlcpy
sprintf | snprintf
vsprintf | vsnprint
The same theme rings true in the Microsoft world. For example, see Howard and
LeBlanc's Writing Secure Code. Use of safe string handling functions is a
secure code quality gate. Microsoft software which uses dangerous and banned
functions will not pass internal quality checks.
== References ==
Apple Inc., "Secure Coding Guide: Security", String Handling, p.35.
Wheeler, "Secure Programming for Linux and Unix HOWTO", Section 6.1 Dangers
in C/C++, p 61.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107522>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [sr #107522] Use of dangerous/banned functions,
Jeffrey Walton <=