[Cryptography] Use Linux for its security
Ray Dillinger
bear at sonic.net
Fri Sep 30 14:34:03 EDT 2016
On 09/29/2016 11:50 PM, Dave Horsfall wrote:
> Please don't say that it was the stack-clobbering gets()... Last I
> looked, it will no longer be part of POSIX.
It was equivalent. It was fscanf(file, "%s", charpointer).
I did the immediate security fix: fscanf(filename, "%179s",
charpointer) where 180 is the hardcoded size of the buffer. The more
comprehensive design fix with a parser that is treats newline as just
another whitespace character is underway.
Getting rid of gets() is a no-brainer, because gets() CAN'T be used with
buffer length checking. But fscanf is also a problem, because
the EASIEST way to use it to read a line does no buffer length checking.
That's the wrong way round. It should be the dangerous use that's
harder and the safer use that's easier. That way people would (usually,
probably) do the safer thing by habit.
I would REALLY like to see a guarantee in the specification of fscanf
and friends that "%s" when not length-qualified is considered equivalent
to "%255s", or that using them to read more than 64k characters at a
time is an error, or something, just to guarantee that there's a clearly
"safe" amount of buffer to allocate.
Bear
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160930/6debf5ac/attachment.sig>
More information about the cryptography
mailing list