strcmp between 2 char arrays

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • jeanne
    New Member
    • Aug 2008
    • 1
    #1

    strcmp between 2 char arrays

    hi al,pls help for the following code snippet
    main()
    {
    typedef char abc[20];
    abc a;
    abc b;
    strcpy(a,"HI");
    printf("Enter string");
    scanf("%s",b);

    if(strcmp(a,b)= =0)
    { printf("\nSUCCE SS");
    }
    else
    {
    printf("\nFAILU RE");
    }
    }

    is anything wrong in the strmp stmt.,when i run my code for deepcheck,it says"Index from user input, so potential overflow/underflow on variable '(const char *)&b' in the function call 'strcmp' ".
    Tags: None
    • gpraghuram
      Recognized Expert Top Contributor
      • Mar 2007
      • 1275
      #2
      I dont think so that there is a issue with your code.

      Raghu

        Comment

        • Banfa
          Recognized Expert Expert
          • Feb 2006
          • 9067
          #3
          Please do not double post, please do read the posting guidelines.

          Banfa
          Administrator

            Comment

            • Banfa
              Recognized Expert Expert
              • Feb 2006
              • 9067
              #4
              Originally posted by jeanne
              is anything wrong in the strmp stmt.,when i run my code for deepcheck,it says"Index from user input, so potential overflow/underflow on variable '(const char *)&b' in the function call 'strcmp' ".
              You code is syntactically correct and should compile.

              However deepcheck goes further than just simple syntax checking (I assume it is a static analysis tool). Your variable b is an array of 20 characters. However you are passing a pointer to that array to scanf for string input. Whether the buffer overflows or not is then dependent on how much data the user inputs, <20 characters and you are fine >= 20 characters and you have a buffer overflow which is undefined behaviour.

              This is a rather classic example of the poor programming that has lead to security vulnerabilities and an example of program validity being defined at run time not compile time. That is this flaw in using scanf has been the cause of many security vulnerabilities over the years and the behaviour of the program is either good or undefined depending on what the user does.

              Instead of using scanf you could use fgets which allows you to pass the buffer size to the function reading the keyboard and prevents buffer overruns.

                Comment

                • JosAH
                  Recognized Expert MVP
                  • Mar 2007
                  • 11453
                  #5
                  Originally posted by Banfa
                  You code is syntactically correct and should compile.

                  However deepcheck goes further than just simple syntax checking (I assume it is a static analysis tool). Your variable b is an array of 20 characters. However you are passing a pointer to that array to scanf for string input.
                  What surprises me is that that tool is whining about strcmp instead of scanf.

                  kind regards,

                  Jos

                    Comment

                    • evergreen
                      New Member
                      • Feb 2015
                      • 1
                      #6
                      check this method(by follow link) for compare 2 char array [in value of block memory by address]
                      http://www.cplusplus.com/reference/cstring/memcmp/

                        Comment

                        Previous template Next
                        Working...