How To Identify Miscalculated Null Termination Vulnerabilities

From Guidance Share
Revision as of 21:02, 1 December 2007 by JD (talk | contribs)
(diff) ←Older revision | Current revision (diff) | Newer revision→ (diff)
Jump to navigationJump to search

While the following example is not exploitable, it provides a good example of how nulls can be omitted or misplaced, even when functions, such as strncpy, are used that include limits to the length of a string copy:

#include <stdio.h>
#include <string.h>
int main() { 
char longString[] = "Cellular bananular phone"; 
char shortString[16]; 
strncpy(shortString, longString, 16); 
printf("The last character in shortString is: %c %1$x\n", 
return (0);

The above code gives the following output: The last character in shortString is: l 6c So, the shortString array does not end in a NULL character, even though the length limited string function strncpy() was used.