Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The shown C code has a buffer overflow vulnerability:

    #include <string.h>
    #include <stdlib.h>
    
    char *add_domain_name(char *source) {
        const size_t size = 1024;
        char *dest = malloc(size+1);
        strncpy(dest, source, size);
        strncat(dest, "@example.com", size);
        return dest;
    }
`strncat` takes as a third parameter the maximum length of the appended string.

        strncat(dest, "@example.com", size - strlen(dest));
would be correct.


This isn't even quite right, since the first argument of strncat needs to be a null-terminated string, and strncpy may not null-terminate. I would honestly just give up and write

    size_t len = strlen(source);
    char *dest = malloc(len + sizeof("@example.com")-1 + 1);
    strcpy(dest, source);
    strcpy(dest + len, "@example.com");




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: