Re: gets_s function

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Antonio Calò <AntonioCal@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Dec 2008 09:35:04 -0800

I expect that gets_s checks string dimension before assign value to it. Is it
wrong?

Thanks

"Igor Tandetnik" wrote:

Antonio Calo <AntonioCal@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

following you can find a fragment of code and the output returned
relevant to my question.

int main()
{
char Stringa_01[5],Stringa_02[6],Stringa_03[11], Stringa_010[2];

cout << "\tInserire la Stringa_01: ";
gets_s(Stringa_01,10);

You are lying to the function. You tell it the size of the buffer is 10,
when in fact it's 5. You are asking for a buffer overflow, and you are
getting it.

cout << '\t' << "Stringa_01: " << Stringa_01 << endl << endl;

return 0;

}

Inserire la Stringa_01: 123456789
Stringa_01: 123456789

At execution I entered the string "123456789" (10 characters) and I
expected to get String_01 equal to "1234" because String_01 is
declared to be 4 characters length.

But how gets_s is supposed to know that? You told it the buffer is 10
characters long, and it took you on your word and wrote 10 characters,
going past Stringa_01 and overwriting some memory that just happens to
be located after it. Like I said, a buffer overflow.
--
With best wishes,
Igor Tandetnik

With sufficient thrust, pigs fly just fine. However, this is not
necessarily a good idea. It is hard to be sure where they are going to
land, and it could be dangerous sitting under them as they fly
overhead. -- RFC 1925

Follow-Ups:
- Re: gets_s function
  - From: Ben Voigt [C++ MVP]
- Re: gets_s function
  - From: Igor Tandetnik
- Re: gets_s function
  - From: Cezary H. Noweta

References:
- gets_s function
  - From: Antonio Calò
- Re: gets_s function
  - From: Igor Tandetnik
- Re: gets_s function
  - From: Antonio Calò
- Re: gets_s function
  - From: Igor Tandetnik

Prev by Date: Re: Is this doable in MS C?
Next by Date: Re: gets_s function
Previous by thread: Re: gets_s function
Next by thread: Re: gets_s function
Index(es):
- Date
- Thread

Relevant Pages

Re: Encryption ??
... algorithm itself, at least not in this area. ... I stated, not very clearly, that the algorithm as implemented had a potential buffer overflow problem when it was used correctly i.e. when the text was an exact multiple of 8. ... Notice now that not only don't we have buffer overflow, but it still seems like we encrypt and decrypt the entire string even though I removed the memcpy function that was supposed to copy these extra characters. ...
(comp.lang.clipper)
Buffer Overflow Exploitable?
... I've come across a buffer overflow and was curios of whether it's ... logHandler = NULL; ... is defined as a constant in Windows.pas as 260 characters. ... Which is valid as its less then the Windows defined 260 ...
(Vuln-Dev)
Re: why so many "potential buffer overflow" alerts?
... > I get the impression that many of the security alerts ... > that arrive in my email mention actual or potential "buffer overflow". ... be given (say, 600 characters in the example above), and neither the ... In some other languages, which have ...
(comp.os.linux.security)