gets(3) nonsense
Jonathan Bayer
jbayer at ispi.UUCP
Fri Nov 25 23:42:29 AEST 1988
In article <644 at scotty.UUCP>, jwr at scotty.UUCP (Dier Retlaw Semaj) writes:
> In article <1403 at unisoft.UUCP> achut at unisoft.UUCP (Achut Reddy) writes:
> <In article <1643 at solo11.cs.vu.nl> maart at cs.vu.nl (Maarten Litmaath) writes:
> <
> <No, there is a fundamental difference between gets(3) and all the other
> <functions that don't check buffer boundaries. That difference is that
> <the other functions *can* be used safely if the programmer exercises
> <some care. He has complete control over the arguments he passes to these
> >functions, and can ensure that his buffers don't overflow.
>
> What about sprintf() & fprintf()?
> The user does not have *complete control* over these functions.
With proper care the user *does* have complete control. Simply specify
a length for each var being printed.
gets is different in that the input is undefined. If gets is used in a
program in which data is piped to, and it is part of a secure system, and
unsecured data can be piped to it, then it is possible to break it.
Jonathan Bayer
Intelligent Software Products, Inc.
More information about the Comp.lang.c
mailing list