One
such example is strncat. In these cases, subsequent copy operations may result
in more data being copied than the program can handle.
Chapter 12: Passive Analysis
285
PART IV
??? When handling C style strings, is the program careful to ensure that buffers
have sufficient capacity to handle all characters including the null termination
character?
??? For all array/pointer operations, are there clear checks that prevent access
beyond the end of an array?
??? Does the program check return values from all functions that provide them?
Failure to do so is a common problem when using values returned from
memory allocation functions such as malloc, calloc, realloc, and new.
??? Does the program properly initialize all variables that might be read before they
are written? If not, in the case of local function variables, is it possible to
perform a sequence of function calls that effectively initializes a variable with
user-supplied data?
??? Does the program make use of function or jump pointers? If so, do these reside
in writable program memory?
??? Does the program pass user-supplied strings to any function that might in turn
use those strings as format strings? It is not always obvious that a string may be
used as a format string.
Pages:
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518