OWASP says:
"C library functions such as strcpy
(), strcat (), sprintf () and vsprintf
() operate on null terminated strings
and perform no bounds checking."
sprintf(str, "%s", message); // assume declaration and
// initialization of variables
\0
You're correct on both problems, though they're really both the same problem (which is accessing data beyond the boundaries of an array).
A solution to your first problem is to instead use snprintf
, which accepts a buffer size as an argument.
A solution to your second problem is to give a maximum length argument to s[n]printf
. For example:
char buffer[128];
snprintf(buffer, sizeof(buffer), "This is a %.4s\n", "testGARBAGE DATA");
// strcmp(buffer, "This is a test\n") == 0
If you want to store the entire string (e.g. in the case sizeof(buffer)
is too small), run snprintf
twice:
// Behaviour is different in SUSv2; see
// "conforming to" section of man 3 sprintf
int length = snprintf(NULL, 0, "This is a %.4s\n", "testGARBAGE DATA");
++length; // +1 for null terminator
char *buffer = malloc(length);
snprintf(buffer, length, "This is a %.4s\n", "testGARBAGE DATA");
(You can probably fit this into a function using va
.)