Full Disclosure mailing list archives
RE: Off topic programming thread
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Wed, 29 Oct 2003 17:33:47 -0600
-----Original Message----- From: Brett Hutley [mailto:brett () hutley net] Sent: Wednesday, October 29, 2003 12:13 AM To: Bill Royds Cc: madsaxon; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Off topic programming thread I think what you're really saying is that C allows programmers to make mistakes when dealing with areas of memory. The above vulnerability is based on a mistake in the code. (If I was to code the above prototype BTW, I'd probably make it more like "static void defang(const char *str, char *dfstr, unsigned dfsize)" to indicate to programmers calling the function that the first argument's contents is immutable, the second argument is the destination buffer, and the size shouldn't be negative).
Yes! This is precisely what I am talking about. If programmers wrote code like this, then they'd be perfectly justified, for example, to simply return an error if dfsize was negative. After all, you were warned. :-) It would be trivial to check for proper input there and simply return an error if it's wrong. So why isn't this the norm rather than the exception? Or is it the norm? Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Off topic programming thread Schmehl, Paul L (Oct 27)
- <Possible follow-ups>
- RE: Off topic programming thread madsaxon (Oct 27)
- Re: Off topic programming thread Bill Royds (Oct 27)
- Re: Off topic programming thread Brett Hutley (Oct 28)
- Re: Off topic programming thread Bill Royds (Oct 29)
- Re: Off topic programming thread Alexandre Dulaunoy (Oct 29)
- Re: Off topic programming thread Brett Hutley (Oct 29)
- Re: Off topic programming thread Bill Royds (Oct 29)
- Auditing code for security problems Bill Royds (Oct 29)
- Re: Off topic programming thread Bill Royds (Oct 27)
- Re: Off topic programming thread Brett Hutley (Oct 29)