[Info-vax] Whither VMS?
Bob Koehler
koehler at eisner.nospam.encompasserve.org
Fri Oct 2 17:16:05 EDT 2009
In article <ha442l$t2i$03$1 at news.t-online.com>, Michael Kraemer <M.Kraemer at gsi.de> writes:
>
> Anyway, I do not see why null termination would
> naturally lead to buffer overflow.
> I'm not aware of any libc function which
> uses the null to mark the end of an area you
> are allowed to *write* to.
> With the exception of *printf() (and gets()) all writable
> buffers have a specified maximum length.
It's simply not true that all writebale buffers have a maximum
specified length, from the point of view of a function.
It's trivial to pass a pointer to a string to a function without the
function knowing the size of the buffer, as in the size you're code
declared it.
A trivial example:
void a(char* b, char *c, char* d)
{
for (; *d = *b; d++, b++);
for (; *d = *c; d++, c++);
}
main ()
{
char d[10];
a("1234567890", "1234567890", d);
}
In the above example, function a() will stuff 21 characters into 10
character buffer d, writing over who knows what in memory. a() can
see that string b is 11 characters, and string c is 11 characters,
and will overwrite the null character it copied from b with the first
character of c, but it has no way of knowing that d is only 11
characters.
This is a common problem with C library routines such as strcat.
More information about the Info-vax
mailing list