On Sat, Jun 22, 2013 at 4:50 AM, Sylvain Munaut <246...@gmail.com> wrote:
>> In this case, I /know/ that string
>> b is properly terminated (because I wrote it into the code). So I use
>> the length of b to compare with a and l = strlen(b). There are other
>> ways, too, but this was the most unobtrusive way to handle this case.
>
> Huh ... but strcmp will stop comparing at the end of any of the two
> strings anyway.
Sylvain,
No, that's not true. If that were the case then string "abc" would be
equal to string "ab", and strcmp knows that they are different (I
tested this to be sure; it returns 99, while strcmp("abc", "abc")
returns 0, as it should). I even tested this adding a new line onto
one of the strings and strcmp reads them both through completely and
tests that, not just the length of the shortest string.
Tom
> So I don't see how this: (
> https://github.com/gnuradio/gnuradio/commit/c1e91f0200a58a6cb24d1de9422f1a6e2483fc2c
> )
>
> - if (strcmp (name, all[i]->name ()) == 0){
> + if (strncmp (name, all[i]->name(), strlen(all[i]->name())) == 0){
>
> would provide any more safety again "bad" user strings.
>
> The only difference this code will make is that now "all[i]->name()"
> only needs to be a _prefix_ to "name" rather than a full length match.
> (which may very well fix the original issue but doesn't do much about
> "unsafe non null terminated strings")
Oh yeah, you're right about that. It's reading in 'name' in the first
place without constraints that would cause the problem with non null
terminated strings. But it does fix a problem we had.
Tom
> Cheers,
>
> Sylvain
_______________________________________________
Discuss-gnuradio mailing list
Discuss-gnuradio@gnu.org
https://lists.gnu.org/mailman/listinfo/discuss-gnuradio
