[sr #107522] Use of dangerous/banned functions

Jeffrey Walton INVALID.NOREPLY at gnu.org
Wed Nov 17 00:30:14 CET 2010


                 Summary: Use of dangerous/banned functions
                 Project: GnuTLS
            Submitted by: noloader
            Submitted on: Tue 16 Nov 2010 11:30:10 PM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None



GnuTLS uses unsafe string handling functions. From Apples Security Guide,
Table 1 (p. 35):

Table 1: String functions to use and avoid
Don't use these functions - Use these instead
strcat                    | strlcat
strcpy                    | strlcpy
strncat                   | strlcat
strncpy                   | strlcpy
sprintf                   | snprintf
vsprintf                  | vsnprint

The same theme rings true in the Microsoft world. For example, see Howard and
LeBlanc's Writing Secure Code. Use of safe string handling functions is a
secure code quality gate. Microsoft software which uses dangerous and banned
functions will not pass internal quality checks.

== References ==
Apple Inc., "Secure Coding Guide: Security", String Handling, p.35.
Wheeler, "Secure Programming for Linux and Unix HOWTO", Section 6.1 Dangers
in C/C++, p 61.


Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list