打印字符串的安全函数snprintf
2011-12-01 14:15
211 查看
在读UNIX网络编程时,有这样一段:
“If you're not already in the habit of using snprintf instead of the older
sprintf, now's the time to learn. Calls to
sprintf cannot check for overflow of the destination buffer.
snprintf, on the other hand, requires that the second argument be the size of the destination buffer, and this buffer will not overflow.
snprintf was relatively late addition to the ANSI C standard, introduced in the version referred to as ISO C99. Virtually all vendors provide it as part of the standard C library, and many freely available versions are also available. We use snprintf
throughout the text, and we recommend using it instead of sprintf in all your programs for reliability.
It is remarkable how many network break-ins have occurred by a hacker sending data to cause a server's call to sprintf to overflow its buffer. Other functions that we should be careful with are gets, strcat, and strcpy, normally calling fgets, strncat,
and strncpy instead. Even better are the more recently available function strlcat and strlcpy, which ensure the result is a properly terminated string. Additional tips on writing secure network programs are found in Chapter 23 of [Garfinkel, Schwartz, and
Spafford 2003].”
其主要说的是缓冲区溢出问题,为给缓冲区一个固定的长度,我们需要给这个函数某些限定。
下列代码在VS2005调试通过。
“If you're not already in the habit of using snprintf instead of the older
sprintf, now's the time to learn. Calls to
sprintf cannot check for overflow of the destination buffer.
snprintf, on the other hand, requires that the second argument be the size of the destination buffer, and this buffer will not overflow.
snprintf was relatively late addition to the ANSI C standard, introduced in the version referred to as ISO C99. Virtually all vendors provide it as part of the standard C library, and many freely available versions are also available. We use snprintf
throughout the text, and we recommend using it instead of sprintf in all your programs for reliability.
It is remarkable how many network break-ins have occurred by a hacker sending data to cause a server's call to sprintf to overflow its buffer. Other functions that we should be careful with are gets, strcat, and strcpy, normally calling fgets, strncat,
and strncpy instead. Even better are the more recently available function strlcat and strlcpy, which ensure the result is a properly terminated string. Additional tips on writing secure network programs are found in Chapter 23 of [Garfinkel, Schwartz, and
Spafford 2003].”
其主要说的是缓冲区溢出问题,为给缓冲区一个固定的长度,我们需要给这个函数某些限定。
下列代码在VS2005调试通过。
// // Secure version of SPRINTF function // int CSerialPort::snprintf(char *buf, size_t size, const char *fmt, ...) { int n; va_list ap; va_start(ap, fmt); vsprintf(buf, fmt, ap); n = strlen(buf); va_end(ap); if (n >= size) TRACE("snprintf: '%s' overflowed array", fmt); return(n); }
相关文章推荐
- 已知字母序列【d, g, e, c, f, b, o, a】,请实现一个函数针对输入的一组字符串 input[] = {"bed", "dog", "dear", "eye"},按照字母顺序排序并打印
- Strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- Strsafe.h安全的C语言字符串处理函数
- 在VC中使用安全版字符串操作函数
- [华赛面试题] C语言动态分配内存 用指针实现字符串的函数体外打印
- C语言写函数实现接收n个字符串,将以某个字符为开头的字符串打印出来。
- strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- PHP字符串过滤需要的函数,安全MYSQL
- 安全字符串处理函数
- Strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- string.h里面几个安全函数的比较snprintf strncpy strncat
- 安全的strlcpy和strlcat字符串操作函数
- Strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- 利用 ljust rjust center函数打印整齐的字符串
- 关于安全字符串操作函数
- Strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- Strlcpy和strlcat——一致的、安全的字符串拷贝和串接函数
- Python:编写函数,能在当前目录以及子目录下查找文件名包含指定字符串的文件,并打印出完整路径
- [轉]PHP字符串过滤需要的函数,安全MYSQL