[Cryptography] Buffer overflows from 1974
John Levine
johnl at iecc.com
Mon Jan 5 10:46:59 EST 2026
It appears that Steven M. Bellovin <smb at cs.columbia.edu> said:
>> It was written on a PDP-11... I'm guessing 45 with 32KW memory using ed on a
>> Model 33 teletype, it couldn't run anything beyond the most basic pre-K&R C.
>> This also explains the... unfortunate coding style, if it hurts to edit
>> anything other than the line you're currently in the process of entering you'd
>> want to minimise the amount of typing and re-typing necessary. So any new
>> code wouldn't be written in anything like this style regardless of the
>> compiler or C variant.
>>
>More likely a Model 37 teletype, given the lower case/upper case distinction.
I did a lot of Unix work using Model 33s starting with Unix 5th edition. The TTY
driver mapped input characters to lower case unless backslash escaped, and that
was good enough since C code was invariably all in lower case.
Speaking of C code, a 1974 programmer wouldn't have made the overcomplicated fix
in that article with the extra variable and three new lines of code using
sizeof() which hadn't been invented yet. A real programmer would have fixed this
buffer overflow this way:
Before:
while((*q = getchar()) != '\n')
After:
while(q < password+99 && (*q = getchar()) != '\n')
Or if pointer arithmetic were buggy, noting that pwbuf is declared immediately after password:
while(q < pwbuf && (*q = getchar()) != '\n')
Tersely,
John
PS: Yes, I know that last one isn't quite right. But in this case it doesn't matter.
More information about the cryptography
mailing list