[GRASS5] str*() vs strn*() functions

Brad Douglas rez at touchofmadness.com
Fri Aug 26 05:57:28 EDT 2005


Paul,

On Fri, 2005-08-26 at 10:18 +0100, Paul Kelly wrote:
> On Fri, 26 Aug 2005, Brad Douglas wrote:
>
> > Is there any particular reason there has been a recent move from using
> > strn*() function to using str*() functions?
> 
> It was a bugfix: with strncmp it was returning a match if one string was 
> shorter than the other but matched the first n characters. We needed to 
> match the whole string.

Is this a comparison of two strings of arbitrary length or is the source
string known?  Do you have an example of where it failed to work
properly?  I'm curious.

> > Specifying the string length has security benefits.
> 
> What is the problem with using strcmp specifically?

Buffer overflow attacks.

> I had a think about it and couldn't think of any reason not to use strcmp(), 
> so I changed some occurences of strncmp() I had added in the past (blindly 
> following the way it was done in other parts of the proj library).

I found a short article detailing the problem for anyone interested:
http://www.linuxsecurity.com/content/view/119087/49/

It isn't a huge deal, but it is something to be aware of.


-- 
Brad Douglas <rez at touchofmadness.com>




More information about the grass-dev mailing list