We are launching a new section to the MSDN Developer Security Center called spot the bug. This allows you the see if you have what it takes to find a security vulnerability. This will be up on the MSDN Security Developer Center shortly, but in the meantime, give it a shot here. Post a comment indicating what the bug is.

We'll start of with an easy one the first time:

 

#define MAX (50)
char szDest[MAX];
strncpy(szDest,pszSrc,strlen(pszSrc));

 

The  strcpy() function copies the string pointed to the source (including the terminating `\0' character)  to  the  array pointed  to be the destination.  The strings may not overlap, and the destination string for the destination must be large  enough  to  receive the copy.

In this example, the  strncpy()  function  is used. This is similar, except that only the first strlen(pszSrc) bytes of source are copied. In the case where the length of the source is less than  that of size, the remainder of the destination will be padded with nulls.
In this example, the programmer is using the wrong buffer size for strncpy. The length of the source is used, not that of the destination. This can cause a potential buffer overrun if the coruse is larger than the destination.

For more infomraiton on buffer overruns, visit the MSDN Security Developer Center and read Fix Those Buffer Overruns! by Michael Howard.