ryanr's Journal: Bug Puzzle #4

OK, since you probably had to look at my stupid C questions, I might as well produce a bug puzzle.

What's wrong with this code snippet?

char *dest;
char src[] = "Hello";

dest = (char *)malloc (strlen(src));
strcpy (dest, src);

(This one should be relatively easy for most people, I think.)

malloc too small

[Krelnik]

The malloc() call doesn't include enough space for the nul terminator on the string.

Re:malloc too small

[ryanr]

Correct.

This is one of the many examples of an off-by-one error. Probably the nicest kind, because it will cause trouble most of the time right away, and not hide from you and become a security bug later. :)

Re:malloc too small

[mekkab]

damn you, quick-draw McGraw! ;)

what's wrong

[turg]

What's wrong with this code snippet?

Well, that depends on what results you were expecting

Re:what's wrong

[ryanr]

Heh, well that's true. :) One answer would be "not crashing", which this code will do from time to time. :)

The real answer...

[Nevyn]

What's wrong with this code snippet?

If I saw this in live code, I'd have to say the answer is ... writing string code in C without using a string ADT. Really there are more than a few choices [and.org], but yet some C programers insist they can write perfect code every time ... or that it's so much more efficient to not bother [google.com].