代码审查缓冲区溢出 [英] code review for buffer overflows

问题描述

大家好，

我需要对缓冲区溢出的代码进行一些检查.

我知道通常我们有不安全的C函数，例如strcpy，strcat，gets ..
如果发生在代码中，则应将其删除.

然后，我认为必须将其替换为安全的替代方案
对? strncpy，strncat等...

这是进行(安全)代码审查的正确方法吗?
关于如何正确执行此过程，也许在此类指南上有一些很好的链接和资源?

谢谢.

ps.刚发现此工具: http://www.dwheeler.com/flawfinder/ [

Hi people,

I need to do some review of code for buffer overflows.

I know usually we have insecure C functions e.g., strcpy, strcat, gets..
which should be probably removed if occurred in code.

Then I believe they must be replaced by their secure alternatives
right? strncpy, strncat, ... etc.

Is this the right way to do (security) code review?
Maybe there are some good links and resources on such guidelines, as to how this process should be done well?

thanks.

ps. Just discovered this tool: http://www.dwheeler.com/flawfinder/[^]
Is anyone familiar with it? Do you know if it is good?

推荐答案

您可以(make&)使用C ++对象来管理适当的内存操作
或仅采用行数据级别 [ ^ ]:)

You could (make&)use C++ objects to manage the memory operations proper
or just take the Row data level[^] :)

据我所知，strccpy，strcat等的安全版本为strcpy _s ，strcat _s 等. strcpy，strncpy等会生成编译器警告，告诉您使用"_s"-版本.

As far as I know, the secure versions of strccpy, strcat etc. are strcpy_s, strcat_s and so on. strcpy, strncpy etc. generate a compiler warning telling you to use the "_s" - versions instead.

这篇关于代码审查缓冲区溢出的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！