Re: [Exim] Fw: (bugtraq) Exim 3.34 and lower

Top Page
Delete this message
Reply to this message
Author: Florian Weimer
Date:  
To: exim-users
Subject: Re: [Exim] Fw: (bugtraq) Exim 3.34 and lower
Philip Hazel <ph10@???> writes:

> The author of the patch uses strncpy(a,b,n) to mean "copy string b
> to buffer a, which is of length n". This is actually not sensible if
> n is a lot larger than the length of string b. The reason it is not
> sensible is that strncpy() insists on padding out the destination
> buffer with binary zeros to the length given. So, if you call
> strncpy(a, "abc", 4096) for example, you waste a lot of resources
> writing 4092 unnecessary zeros, possibly touching memory pages which
> might otherwise have been left alone.


strncpy() has a far more serious problem: It does not write a
terminating zero if the buffer is full. This means that buffer
overflows can occur later in unexpected places.

Using sprintf() comes with a performance impact, too.

--
Florian Weimer                       Weimer@???
University of Stuttgart           http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT                          +49-711-685-5973/fax +49-711-685-5898