...
Note that the calls to fprintf() and printf() are C99 standard functions and not managed string functions.
Compliant Solution
This compliant solution illustrates how the SafeStr library can be used to create and manipulate safe strings.
| Code Block |
|---|
safestr_t string1;
safestr_t string2;
XXL_TRY_BEGIN {
string1 = safestr_create("sample string", 0);
string2 = safestr_alloc(14, 0);
safestr_copy(&string2, string1);
safestr_printf(string2);
}
XXL_CATCH (SAFESTR_ERROR_OUT_OF_MEMORY) {
printf("Insufficient Memory.\n");
}
XXL_EXCEPT {
printf("Operating failed.\n");
}
XXL_TRY_END;
|
Note that printf() is a C99 standard function and not a SafeStr string function.
Risk Assessment
String handling functions defined in C99 Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Managed strings, when used properly, can eliminate many of these errors--particularly in new development.
...