[GRASS5] str*() vs strn*() functions
Brad Douglas
rez at touchofmadness.com
Fri Aug 26 05:57:28 EDT 2005
Paul,
On Fri, 2005-08-26 at 10:18 +0100, Paul Kelly wrote:
> On Fri, 26 Aug 2005, Brad Douglas wrote:
>
> > Is there any particular reason there has been a recent move from using
> > strn*() function to using str*() functions?
>
> It was a bugfix: with strncmp it was returning a match if one string was
> shorter than the other but matched the first n characters. We needed to
> match the whole string.
Is this a comparison of two strings of arbitrary length or is the source
string known? Do you have an example of where it failed to work
properly? I'm curious.
> > Specifying the string length has security benefits.
>
> What is the problem with using strcmp specifically?
Buffer overflow attacks.
> I had a think about it and couldn't think of any reason not to use strcmp(),
> so I changed some occurences of strncmp() I had added in the past (blindly
> following the way it was done in other parts of the proj library).
I found a short article detailing the problem for anyone interested:
http://www.linuxsecurity.com/content/view/119087/49/
It isn't a huge deal, but it is something to be aware of.
--
Brad Douglas <rez at touchofmadness.com>
More information about the grass-dev
mailing list