[GRASS5] str*() vs strn*() functions

Is there any particular reason there has been a recent move from using
strn*() function to using str*() functions?

Specifying the string length has security benefits.

Thanks!

--
Brad Douglas <rez@touchofmadness.com>

Hello Brad

On Fri, 26 Aug 2005, Brad Douglas wrote:

Is there any particular reason there has been a recent move from using
strn*() function to using str*() functions?

It was a bugfix: with strncmp it was returning a match if one string was shorter than the other but matched the first n characters. We needed to match the whole string.

Specifying the string length has security benefits.

What is the problem with using strcmp specifically?
I had a think about it and couldn't think of any reason not to use strcmp(), so I changed some occurences of strncmp() I had added in the past (blindly following the way it was done in other parts of the proj library).

Paul

Paul,

On Fri, 2005-08-26 at 10:18 +0100, Paul Kelly wrote:

On Fri, 26 Aug 2005, Brad Douglas wrote:

> Is there any particular reason there has been a recent move from using
> strn*() function to using str*() functions?

It was a bugfix: with strncmp it was returning a match if one string was
shorter than the other but matched the first n characters. We needed to
match the whole string.

Is this a comparison of two strings of arbitrary length or is the source
string known? Do you have an example of where it failed to work
properly? I'm curious.

> Specifying the string length has security benefits.

What is the problem with using strcmp specifically?

Buffer overflow attacks.

I had a think about it and couldn't think of any reason not to use strcmp(),
so I changed some occurences of strncmp() I had added in the past (blindly
following the way it was done in other parts of the proj library).

I found a short article detailing the problem for anyone interested:
http://www.linuxsecurity.com/content/view/119087/49/

It isn't a huge deal, but it is something to be aware of.

--
Brad Douglas <rez@touchofmadness.com>

On Fri, 26 Aug 2005, Brad Douglas wrote:

On Fri, 2005-08-26 at 10:18 +0100, Paul Kelly wrote:

On Fri, 26 Aug 2005, Brad Douglas wrote:

Is there any particular reason there has been a recent move from using
strn*() function to using str*() functions?

It was a bugfix: with strncmp it was returning a match if one string was
shorter than the other but matched the first n characters. We needed to
match the whole string.

Is this a comparison of two strings of arbitrary length or is the source
string known?

Well yes---we have a specific pre-determined keyword that we are trying to match against one read from a while. I presumed that after strcmp got to the end of the shorter string it would stop matching, which removes the possibility of a buffer overflow. I haven't found any information on this possiblity, and the man page for strcmp doesn't mention it.

Do you have an example of where it failed to work
properly? I'm curious.

It was discussed on the list two days ago:
http://grass.itc.it/pipermail/grass5/2005-August/019378.html

Specifying the string length has security benefits.

What is the problem with using strcmp specifically?

Buffer overflow attacks.

I had a think about it and couldn't think of any reason not to use strcmp(),
so I changed some occurences of strncmp() I had added in the past (blindly
following the way it was done in other parts of the proj library).

I found a short article detailing the problem for anyone interested:
http://www.linuxsecurity.com/content/view/119087/49/

The article seems to deal with comparing two user-supplied strings. So I don't think it's relevant. Also there is only a passing reference to strcmp /
strncmp and it doesn't explain what the issue with it is. As far as I understand it comparing two strings can't cause a buffer overflow in itself; the damage has to be done at the stage where the strings are read into memory?

There's been a lot of work done in GRASS in the
last few years to reduce the chances of buffer overflows (G_asprintf() etc.) although many unsafe assignments/comparisons still remain. I'd like to think I'm not adding any new ones though :slight_smile:

Paul

Brad Douglas wrote:

> > Specifying the string length has security benefits.
>
> What is the problem with using strcmp specifically?

Buffer overflow attacks.

I think you're getting confused with strcpy/strncpy. strcmp only reads
the strings, it doesn't write anything so it can't cause a buffer
overflow.

--
Glynn Clements <glynn@gclements.plus.com>

On Sat, 2005-08-27 at 02:14 +0100, Glynn Clements wrote:

Brad Douglas wrote:

> > > Specifying the string length has security benefits.
> >
> > What is the problem with using strcmp specifically?
>
> Buffer overflow attacks.

I think you're getting confused with strcpy/strncpy. strcmp only reads
the strings, it doesn't write anything so it can't cause a buffer
overflow.

You are correct. Thank you for the reminder.

--
Brad Douglas <rez@touchofmadness.com>