Detect a NUL byte hidden inside argv (within the allocated extent)

Challenge

Some legacy APIs treat strings as 'up to NUL', but the buffer the caller actually allocated extends further. An attacker passes a value like safe.txt\0/etc/passwd — the API stops at NUL and opens safe.txt, but a downstream layer reads the buffer raw and sees the rest.

Implement int has_nul_smuggle(const char *buf, int allocated_len). Treating buf as a byte buffer of allocated_len bytes, return 1 if there is any non-NUL byte at any index after the first NUL in buf, else 0.

Why this matters

Some attacker-controlled input crosses a NUL byte through legacy APIs, smuggling one filename and reading another. Detecting it is a defensive first pass.

Input format

Byte buffer + size.

Output format

0/1.

Constraints

Read exactly allocated_len bytes.

Starter code

int has_nul_smuggle(const char *buf, int allocated_len) { /* TODO */ (void)buf; (void)allocated_len; return 0; }

Common mistakes

Using strlen — that's the bug being defended against.

Edge cases to handle

No NUL anywhere. NUL at the last byte (no follow-on). All-NUL.

Complexity

O(allocated_len).

Background lessons

• String safety and bounded operations
• Input validation

Up next

• Strip dangerous environment variables before exec
• Flag a $PATH entry that is writable by anyone but root