> The canary is pretty clever: it starts with a null byte so that it won’t be leaked by normal string functions
Doesn't that also mean it won't be overwritten by string functions, masking certain bugs? Would it be better to make the nul byte the second one, so that only one byte can be leaked, but certain program bugs that wouldn't otherwise will be exposed?
strcpy and friends don't check for a null byte in the destination to find the end of the buffer, that wouldn't work very well because often you want to copy into a buffer that has been initialized as all zeros. Or copy a new string into a buffer that already has a shorter string, etc.
While that's a better way to do that, if the canary had a null at the beginning it would effectively render string off-by-one errors useless, since now they can't even be exploited to crash a program. Again, this should not be used as an excuse to ignore string off-by-one errors since these errors might be triggered in other architectures where the canary isn't guaranteed to start with a null.
Doesn't that also mean it won't be overwritten by string functions, masking certain bugs? Would it be better to make the nul byte the second one, so that only one byte can be leaked, but certain program bugs that wouldn't otherwise will be exposed?