Re: C++ Compiler with a -Wwarn-use-of-strcpy or similar option??

Christian Bau <christian.bau@cbau.freeserve.co.uk>
8 Sep 2004 12:04:58 -0400

          From comp.compilers

Related articles
C++ Compiler with a -Wwarn-use-of-strcpy or similar option?? psheer@WITHOUTicon.co.za (Paul Sheer) (2004-09-07)
Re: C++ Compiler with a -Wwarn-use-of-strcpy or similar option?? christian.bau@cbau.freeserve.co.uk (Christian Bau) (2004-09-08)
Re: C++ Compiler with a -Wwarn-use-of-strcpy or similar option?? kenrose@tfb.com (Ken Rose) (2004-09-13)
Re: C++ Compiler with a -Wwarn-use-of-strcpy or similar option?? strohm@airmail.net (John R. Strohm) (2004-09-13)
Re: C++ Compiler with a -Wwarn-use-of-strcpy or similar option?? psheer@icon.co.za (2004-09-14)
| List of all articles for this month |
From: Christian Bau <christian.bau@cbau.freeserve.co.uk>
Newsgroups: comp.compilers,comp.lang.c++
Date: 8 Sep 2004 12:04:58 -0400
Organization: Compilers Central
References: 04-09-038
Keywords: C++, practice
Posted-Date: 08 Sep 2004 12:04:58 EDT

  "Paul Sheer" <psheer@WITHOUTicon.co.za> wrote:
> I need to automatically search and replace all fixed size
> buffer strcpy's with strncpy's (or better yet, strlcpy's)
> as a security and stability audit. The code base is large
> and it is not feasable to manually perform these changes.


1. Replacing strcpy with strncpy is a very bad idea. Where strcpy
overwrites memory, strncpy will create char arrays that are not C
strings.


2. If you perform these changes automatically using some tool then
security will go _down_. Of course, if your intention is only to make
management happy and have a check on a checklist, fine. If you want your
software to be secure and stable, do it by hand.


My recommendation: Take the whole source code. Give it to two separate
programmers. Let them discuss very carefully between them how to make
changes. Then each one goes ahead and makes the necessary changes. When
they are done, you compare the results and clean up any differences.


This is the fastest and safest method to actually get a safer and more
stable program.


Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.