Re: fopen_s

David Webber wrote:
"Eugene Gershnik" <gershnik@xxxxxxxxxxx> wrote in message news:O$6HiHnmGHA.464@xxxxxxxxxxxxxxxxxxxxxxx


How returning errno helps with error reporting and what this has to do with security as such is beyond my imagination. Presumably somebody at Microsoft has trouble understanding and using an API that doesn't uniformly return error codes in COM manner.


I think we're in danger of taking this too literally in too isolated a case. The new ...._s APIs which fill buffers (like strcpy_s) do improve security - IIRC the debug version asserts if you try and overfill the buffer. Maybe fopen_s is not really needed for security but is just there to complete the set? (Personally I find the new ones - and all the warnings you get if you don't use them - a pain.)

Dave

The _s may provide some "security" (I would call it simply bounds checking--it's not a security issue unless there's some way an attacker can leverage an array overflow in any particular case) but only if you use them properly.

The following code fragment comes from the WALKALL example on MSDN. While it doesn't use the _s functions, the function StringCchPrintf() is intended to provide the same sort of protection against buffer overflows--but only if you use it correctly.
// CODE REVIEW: Replace Banned API.
// wsprintf(szBuff, "CWinSink refcount increased to %d\n", m_dwRef+1);
StringCchPrintf(szBuff, 255, "CWinSink refcount increased to %d\n", m_dwRef+1);

Note that a constant 255 is passed as the buffer size. Who knows what the _real_ buffer size is going to be after two or three maintenance programmers have worked on it? Obviously, the right was to use the function is to use a compile-time expression that is guaranteed to evaluate to the buffer size no matter what changes are made:
StringCchPrintf(szBuff, sizeof szBuff, "CWinSink refcount increased to %d\n", m_dwRef+1);
or, if you may need Unicode portability:
StringCchPrintf(szBuff, sizeof szBuff/sizeof (TCHAR), "CWinSink refcount increased to %d\n", m_dwRef+1);

By the way, the MSDN page for StringCchPrintf() has an even worse example of how to use the function.

Norm

--
--
To reply, change domain to an adult feline.

.

Relevant Pages

  • Re: fopen_s
    ... do with security as such is beyond my imagination. ... somebody at Microsoft has trouble understanding and using an API ... you try to overflow any buffer regardless of what function you use. ... Personally as a customer I am ...
    (microsoft.public.vc.language)
  • Re: Secure C library
    ... I read much of the new "security TR", and gee, I don't know. ... the buffer from the buffer size. ... It is not hard to design a better form of buffer and string handling. ... but this is just one example of how thoughtful interface design can ...
    (comp.std.c)
  • Re: Programming skills for Pen Testers
    ... each language has its own subset of security ... To elaborate further on the subject, figure that knowing about buffer ... programming does not inevitably take part of a pen-test. ... Download FREE Whitepaper "Role of Network Behavior Analysis and Response ...
    (Pen-Test)
  • [NT] Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities
    ... Get your security news from a reliable source. ... Trend Micro ServerProtect Multiple Buffer Overflow Vulnerabilities ... The Trend ServerProtect service handles RPC requests on TCP ...
    (Securiteam)
  • [Full-disclosure] [NETRAGARD-20061109 SECURITY ADVISORY] [HP Tru64 libpthread buffer overflo
    ... The pthread library (libpthread) provides interfaces for developing ... crafted buffer and inserting it into the PTHREAD_CONFIG variable. ... managed security services which enable its clients to take a proactive ... provided in this advisory. ...
    (Full-Disclosure)