Full Disclosure mailing list archives
RE: Coding securely, was Linux (in)security
From: Paul Schmehl <pauls () utdallas edu>
Date: Sun, 26 Oct 2003 22:09:47 -0600
--On Sunday, October 26, 2003 7:25 PM -0800 Chris Eagle <cseagle () redshift com> wrote:
No, that is not what I'm saying. What I'm saying is that the programmer should not *expect* the subroutine to do his error checking for him. If *everyone* wrote code that way, including the writer of the subroutine, we wouldn't have the problems we have with buffer overflows.That is the most backward thing I have ever heard. So you are saying all I need to do as a programmer is tell you not to pass a negative number/null pointer/un-initialized value... to my function and I am off the hook. All I can say is that I am glad utdallas doesn't have you teaching programming. The fact that you are unaware what lies inside the black box in no way relieves the responsibility of the designer of the black box to make sure that it behaves predictably under all input cases.
The problem we have now is everyone is expecting someone *else* to do the error checking, when in fact everyone should be expecting exactly the opposite.
However, what you are expecting the writer of the subroutine to do is anticipate every possible input, and that may not be possible in all cases. Certainly the writer should do error checking, but that doesn't alleviate the *user* of the subroutine from doing their job.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [inbox] Re: RE: Linux (in)security, (continued)
- Re: [inbox] Re: RE: Linux (in)security Bill Royds (Oct 27)
- Re: [inbox] Re: RE: Linux (in)security Bruce Ediger (Oct 27)
- Message not available
- Coding securely, was Linux (in)security Paul Schmehl (Oct 26)
- RE: Coding securely, was Linux (in)security Chris Eagle (Oct 26)
- Re: Coding securely, was Linux (in)security Brett Hutley (Oct 26)
- RE: Coding securely, was Linux (in)security Chris Eagle (Oct 26)
- Re: Coding securely, was Linux (in)security Brett Hutley (Oct 26)
- Off topic programming thread Mortis (Oct 26)
- Re: Off topic programming thread Bill Weiss (Oct 27)
- Re: Off topic programming thread Chris Smith (Oct 27)
- RE: Coding securely, was Linux (in)security Paul Schmehl (Oct 26)
- Re: Coding securely, was Linux (in)security Bill Royds (Oct 26)
- Re: Coding securely, was Linux (in)security Valdis . Kletnieks (Oct 26)
- Re: Coding securely, was Linux (in)security Brett Hutley (Oct 26)
- RE: Coding securely, was Linux (in)security Chris Eagle (Oct 26)
- RE: Coding securely, was Linux (in)security Steve Wray (Oct 27)
- Re: Coding securely, was Linux (in)security Gregory A. Gilliss (Oct 27)
- Re: Coding securely, was Linux (in)security Valdis . Kletnieks (Oct 28)
- Re: Coding securely, was Linux (in)security Gregory Steuck (Oct 28)
- Re: Coding securely, was Linux (in)security Valdis . Kletnieks (Oct 29)
- Re: Coding securely, was Linux (in)security Ben Laurie (Oct 29)