Kragen:
> Well, the question is, what do you do with strings that are too long? Do
> you (a) dynamically allocate memory for them, (b) silently truncate them,
> (c) return an error, or (d) let them overflow your buffers and crash your
> program in interesting and possibly-exploitable ways?
> [...]
> I think that (c) is better -- as you said -- in situations where there
> is the potential for DoSes.
>
> strncpy, strncat, snprintf, et al., don't support (c) very well. Small
> wrapper functions to do (c) (much like djb's stralloc functions, which
> support (a), used throughout qmail) would greatly facilitate it.
Wietse's VMailer (www.vmailer.org) MTA uses a different approach:
string lengths are limited upon entry, and the number of instances
of any object is limited as well. The limits are generous enough
that they do not get in the way of normal operation. Because of
these limits, the programs can use straightforward (a) style memory
allocation without nasty unbounded memory allocation problems.
Wietse
Received on Mar 03 1998
Intro
