strncpy – Is it really secure?

Posted: September 22, 2011 in Stack Smashing

Though there is a lot of information already available on the same, I would like to talk a bit about this. In many experts’ view, strncpy() just trades one type of bug for another. In a sense, this is true. A short and straight-forward answer would be “No!”, but let’s look at why it is so.

  • strcpy() copies data from the source onto the destination, until a NULL character is met in the source operand. It does not check bounds of the destination onto which it is copying data. So this can be used to overflow static buffers in memory, overwriting memory locations that ideally shouldn’t be overwritten.
  • strncpy() on the other hand, handles the problem with ease. It takes a third argument as the maximum number of characters that should be copied onto the destination string. This number is generally the size of the destination buffer. But then strncpy() does not append the destination string with a NULL character. Thus, if string handling functions were to use the destination buffer, they would have to blindly hope that the byte immediately after the destination buffer is a NULL character. In most cases, this is not true.

Thus if one were to use strncpy(), they would have to hope that the byte immediately after the destination buffer onto which they copy the string is a NULL character (0x0). This is not true in most of the cases, as static variables on the stack are allocated contiguously, enabling random access of data exceeding the bounds of the buffer. A classic example of such a case is one where a vulnerable strcpy() function call is made with the source string previously copied using a (supposedly safe) strncpy() function. This strcpy() function copies data till a NULL character is met, but this NULL character was never appended to the source string when the previous strncpy() function call was made. Thus there is a potential buffer overflow vulnerability. SmashTheStack’s IO has level6 which deals with this case specifically. I’ve also written a small writeup on hints regarding the same.

Another example is a strncpy() function followed by a strncat() function, which in some cases is vulnerable to a buffer overflow. SmashTheStack’s IO has level8 which deals with this case and I’ve also written a writeup on the same.

Well, what do we do then?

All we can do is to manually append a NULL character to a string once strncpy() call is done. In order to do this, we need the size of the buffer to be one more than the actual size of the string to be stored. A secure implementation would be:

#define STRINGSIZE 5

char buf [ STRINGSIZE + 1 ];

strncpy ( buf, “abcde”, STRINGSIZE );

memset ( buf [ STRINGSIZE ], 0x0, 1 );

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s