It's Time to Abandon Insecure Languages
Matthew Byng-Maddick
cryptography at lists.colondot.net
Fri Jul 19 04:21:39 EDT 2002
On Thu, Jul 18, 2002 at 01:08:55PM -0700, bear wrote:
> Agreed. And I particularly like Scheme. However, it's also not
> hard to compile your C code with bounds checking turned on if you're
> willing to sacrifice maybe a few things you shouldn't be using anyay,
> so it's pretty inexcusable IMO to still be having buffer overflows.
Erm, what things do you think you can sacrifice? Pointer arithmetic,
perhaps, except that it's a fairly fundamental part of C. The problems
of buffer overflows are slightly screwy. Can you tell me, for example,
what the length of s needs to be on
a) a 32-bit machine
b) a 64-bit machine
and notice that most people don't even consider this.
sprintf(s,"%l",long_val);
And, how big (on the same platforms) is:
sprintf(s,"%lf",double_val);
You should also note that snprintf(3) is widely regarded as non-portable
due to its non-existence on many platforms.
Most code is susceptible to this kind of thing, because people don't
necessarily know to look for it.
MBM
--
Matthew Byng-Maddick <mbm at colondot.net> http://colondot.net/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list