| Wiki Markup |
|---|
The managed string library described in \[[Burch 06|AA. C References#Seacord 06]\] was developed in response to the need for a string library that could improve the quality and security of newly developed C language programs while eliminating obstacles to widespread adoption and possible |
standardization. |
The managed string library is based on a dynamic approach in that memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, NULL-termination errors, and truncation by ensuring there is always adequate space available for the resulting string (including the terminating NULL character).
...
Note that the calls to fprintf() and printf() are C99 standard functions and not managed string functions.
The forthcoming technical report ISO/IEC TR 24731 Part II will also provide an API that dynamically allocates the results of string functions as needed.
Risk Assessment
String handling functions defined in C99 Section 7.21 and elsewhere are susceptible to common programming errors that can lead to serious, exploitable vulnerabilities. Managed strings, when used properly, can eliminate many of these errors--particularly in new development.
...
| Wiki Markup |
|---|
\[[Burch 06|AA. C References#Seacord 06]\] \[[CERT 0606c|AA. C References#CERT 0606c]\] \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.21, "String handling <string.h>" \[[Seacord 05a|AA. C References#Seacord 05a]\] Chapter 2, "Strings" |