Vulnerability Development mailing list archives
Re: Secure coding in C (was Re: Administrivia #4883)
From: bet () RAHUL NET (Bennett Todd)
Date: Mon, 17 Jan 2000 11:18:23 -0500
2000-01-17-07:13:01 K Martin:
I'm being misunderstood. My fault.
Actually, I think I own more of the fault here.
Mr. Bennett's original example did not give me any indication as to the exact nature if something() and something_else().
That's true. As it turns out, my actual code did in fact deserve some more checking, which it has gotten from this review, but I did you all a disservice by trying to make it generic before posting it. I saw someone implying that a program must have exploitable buffer-overflow bugs just because it used strcpy and strcat, and thought I disagreed; I tried to provide an illustration of how they could be used safely, and ended up making the implicit assumption that the data being provided passed some reasonable sanity checks (valid pointers to valid C strings, and the sum of their length able to fit within size_t). I think it has been a valuable discussion even if it has been more abstract than usual; these misunderstandings seem to be illustrating different ways that different people look at a problem, and they have shed light on a lot of dark corners. I've not yet come to a real conclusion of how I should organize my code to deal with these problems. I may just hoist all string processing up into Lua, since I was going to be using that as a config language for the LDA anyway; that would solve all these problems. When I have something that compiles and does something useful, I'll certainly make a point of announcing it on this list! -Bennett <HR NOSHADE> <UL> <LI>application/pgp-signature attachment: stored </UL>
Current thread:
- Re: Secure coding in C (was Re: Administrivia #4883), (continued)
- Re: Secure coding in C (was Re: Administrivia #4883) Liviu Daia (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Valery Dachev (Jan 17)
- Netdetect.exe with backdoor? (ICQ) WolF Knox (Jan 15)
- Re: Netdetect.exe with backdoor? (ICQ) Brad Griffin (Jan 15)
- Re: Secure coding in C (was Re: Administrivia #4883) Iván Arce (Jan 14)
- Re: Secure coding in C (was Re: Administrivia #4883) kay (Jan 15)
- Re: Secure coding in C (was Re: Administrivia #4883) Brian Masney (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) K Martin (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Paul Cardon (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) K Martin (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Bennett Todd (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Aviram Jenik (Jan 16)
- Re: Secure coding in C (was Re: Administrivia #4883) Craig H. Rowland (Jan 17)
- Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days Solar Eclipse (Jan 17)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days Blue Boar (Jan 17)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days kay (Jan 18)
- Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21Days Blue Boar (Jan 18)
- e-commerce site security (was: Re: Solar Eclipse's Guide To Stealing 100000 Credit Cards in 21 Days) Jon Paul, Nollmann (Jan 18)
- Re: Secure coding in C (was Re: Administrivia #4883) Warner Losh (Jan 17)
- Re: Secure coding in C (was Re: Administrivia #4883) Tellier, Brock (Jan 20)
- Re: Secure coding in C (was Re: Administrivia #4883) Marco Walther (Jan 20)