Help | Site Map
Connecting Tech Pros Worldwide
bytes > answers > C
Reply
 
LinkBack Thread Tools
  #1  
Old August 29th, 2008, 07:09 AM
Newbie
  
Join Date: Aug 2008
Posts: 1
Default strcmp between 2 char arrays
hi al,pls help for the following code snippet
main()
{
typedef char abc[20];
abc a;
abc b;
strcpy(a,"HI");
printf("Enter string");
scanf("%s",b);

if(strcmp(a,b)==0)
{ printf("\nSUCCESS");
}
else
{
printf("\nFAILURE");
}
}

is anything wrong in the strmp stmt.,when i run my code for deepcheck,it says"Index from user input, so potential overflow/underflow on variable '(const char *)&b' in the function call 'strcmp' ".
Reply
  #2  
Old August 29th, 2008, 07:26 AM
gpraghuram's Avatar
Expert
  
Join Date: Mar 2007
Location: Chennai
Age: 29
Posts: 1,157
Default
I dont think so that there is a issue with your code.

Raghu
Reply
  #3  
Old August 29th, 2008, 08:21 AM
Banfa's Avatar
AdministratorVoR
  
Join Date: Feb 2006
Location: South West UK
Posts: 5,296
Default
Please do not double post, please do read the posting guidelines.

Banfa
Administrator
Reply
  #4  
Old August 29th, 2008, 08:28 AM
Banfa's Avatar
AdministratorVoR
  
Join Date: Feb 2006
Location: South West UK
Posts: 5,296
Default
Quote:
Originally Posted by jeanne
is anything wrong in the strmp stmt.,when i run my code for deepcheck,it says"Index from user input, so potential overflow/underflow on variable '(const char *)&b' in the function call 'strcmp' ".
You code is syntactically correct and should compile.

However deepcheck goes further than just simple syntax checking (I assume it is a static analysis tool). Your variable b is an array of 20 characters. However you are passing a pointer to that array to scanf for string input. Whether the buffer overflows or not is then dependent on how much data the user inputs, <20 characters and you are fine >= 20 characters and you have a buffer overflow which is undefined behaviour.

This is a rather classic example of the poor programming that has lead to security vulnerabilities and an example of program validity being defined at run time not compile time. That is this flaw in using scanf has been the cause of many security vulnerabilities over the years and the behaviour of the program is either good or undefined depending on what the user does.

Instead of using scanf you could use fgets which allows you to pass the buffer size to the function reading the keyboard and prevents buffer overruns.
Reply
  #5  
Old August 29th, 2008, 09:41 AM
Moderator
  
Join Date: Mar 2007
Location: Voorschoten, the Netherlands
Age: 52
Posts: 8,471
Default
Quote:
Originally Posted by Banfa
You code is syntactically correct and should compile.

However deepcheck goes further than just simple syntax checking (I assume it is a static analysis tool). Your variable b is an array of 20 characters. However you are passing a pointer to that array to scanf for string input.
What surprises me is that that tool is whining about strcmp instead of scanf.

kind regards,

Jos
Reply
Reply

Bookmarks

« Previous Thread | Next Thread »
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

What is Bytes?

We are a network of experts and professionals in IT and software development that help one another with answers to tough questions and share insights. Get the best answers to your questions from over network members.
Post your question now . . .
It's fast and it's free

Popular Articles
Quick Browse:
Communities / Archives
XML / CSS | HTML | Javascript | PHP | Perl | Visual Basic | Python | C++ / C | Java | .NET / C# / VB / XML / ASP.net | ASP
PostgreSQL | MS SQL | Oracle | IBM DB2 | MS Access | MySQL

About Bytes | Sitemap | Privacy Policy | Terms of Use
Copyright 1995-2008 Bytes.com. All rights Reserved