Secure Coding in C++/CLI
by Robert C. Seacord


Listing One

 1. #include <stdlib.h>
 2. #include <stdio.h>
 3. #include <windows.h>
 4. char buff[1028];
 5. struct user {
 6.     char *name;
 7. size_t len;
 8. int uid;
 9. };
10. bool checkpassword() {
11.   char password[10]; 
12.   puts("Enter 8 character password:");
13.   gets(password);
14.   if (strcmp(password, "NCC-1701") == 0) {
15. return true;
16.   }
17.    else {
18. return false;
19.    }
20. }
21. int main(int argc, char *argv[]) {
22.    struct user *userP = (struct user *)0xcdcdcdcd;
23. size_t userNameLen = 0xdeadbeef;
24. userP = (struct user *)malloc(sizeof(user));
25.    puts("Enter user name:");
26.    gets(buff);
27. if (!checkpassword()) {
28.     userNameLen = strlen(buff) + 1;
29.     userP->len = userNameLen;
30.     userP->name = (char *)malloc(userNameLen);
31.     strcpy(userP->name, buff); // log failed login attempt
32.     exit(-1);
33. }
34. }


Listing Two

 1. #include "stdafx.h"
 2. #include "TestItDan.h"
 3. #include <stdlib.h>
 4. #include <stdio.h>
 5. #include <windows.h>
 6. #define MAX_LOADSTRING 100
 7. struct user {
 8.     wchar_t *name;
 9.     size_t len;
10.     int uid;
11. };
13. HINSTANCE hInst;
14. TCHAR szTitle[MAX_LOADSTRING];
15. TCHAR szWindowClass[MAX_LOADSTRING];
16. TCHAR lpszUserName[16] = L"guest";
17. TCHAR lpszPassword[16] = L"0123456789abcde";
18. struct user *userP = (struct user *)0xcdcdcdcdcdcdcdcd;
19. size_t userNameLen = 16;
20. size_t userPasswordLen = 0xffffffff;
25. int APIENTRY _tWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
                     LPTSTR    lpCmdLine,
                     int       nCmdShow) {
26.     UNREFERENCED_PARAMETER(hPrevInstance);
27.     UNREFERENCED_PARAMETER(lpCmdLine);
28.     MSG msg;
29.     HACCEL hAccelTable;
30.     LoadString(hInstance, IDS_APP_TITLE, szTitle, MAX_LOADSTRING);
31.     LoadString(hInstance, IDC_TESTITDAN, szWindowClass, MAX_LOADSTRING);
32.     MyRegisterClass(hInstance);
33. userP = (struct user *)malloc(sizeof(user));
34. if (!InitInstance (hInstance, nCmdShow)) {
35.     return FALSE;
36. }
37. hAccelTable = LoadAccelerators(hInstance, MAKEINTRESOURCE(IDC_TESTITDAN));
38. while (GetMessage(&msg, NULL, 0, 0)) {
39.     if (!TranslateAccelerator(msg.hwnd, hAccelTable, &msg)) {
40.         TranslateMessage(&msg);
41.         DispatchMessage(&msg);
42.     }
43. }
44. return (int) msg.wParam;
45. }

109. INT_PTR CALLBACK GetPassword(HWND hDlg, UINT message, 
                             WPARAM wParam, LPARAM lParam) {
110.    TCHAR lpszGuestPassword[16] = L"NCC-1701";
111.    UNREFERENCED_PARAMETER(lParam);
112.    switch (message) {
113.      case WM_INITDIALOG:
114.        return (INT_PTR)TRUE;
115.      case WM_COMMAND:
116.        if (LOWORD(wParam) == IDOK) {
117.          EndDialog(hDlg, LOWORD(wParam));
118.          SendDlgItemMessage(hDlg, 
119.            IDC_EDIT1, 
120.            EM_GETLINE, 
121.            (WPARAM) 0,       // line 0 
122.            (LPARAM) lpszPassword
123.          );
124.        userP->len = userNameLen;
125.        if (wcscmp(lpszPassword, lpszGuestPassword) == 0) {
126.          return true;
127.        }
128.        else {
129.          MessageBox(hDlg, 
130.               (LPCWSTR)L"Invalid Password", 
131.               (LPCWSTR)L"Login Failed", 
132.               MB_OK
133.          ); 
134.        }
135.        return (INT_PTR)TRUE;
136.        }
137.        break;
138.      }
139.      return (INT_PTR)FALSE;
140.  }


Listing Three

LRESULT Retval;
*((WORD *)(&lpszPassword)) = (sizeof(lpszPassword)/sizeof(TCHAR))-1;
Retval = SendDlgItemMessage(hDlg, IDC_EDIT1, EM_GETLINE, 
  (WPARAM) 0,       // line 0     
  (LPARAM) lpszPassword
);
lpszPassword[Retval]='\0';





2


