[Cryptography] Buffer overflows from 1974
John Gilmore
gnu at toad.com
Tue Jan 6 02:13:49 EST 2026
Peter Gutmann via cryptography <cryptography at metzdowd.com> wrote:
> In 1974 a real programmer would have fixed it by saying "your
> fault for entering a stupidly long password, and in any case what are
> you going to achieve with that, it'll just segfault and you'll have to
> run it again, this time with valid input".
Yes. Research UNIX was research -- making it work at all for common
cases was much more important than making it perfect in all cases.
Using a decade of hindsight, the GNU Project aimed for a similar but
production-ready system, with the sharp edges filed off for safety and
predictability.
GNU set coding standards for its UNIX clone as early as 1992 that
demanded its programs and libraries must have no fixed string length or
buffer length limits, being limited only by available dynamic main
memory:
https://www.gnu.org/prep/standards/standards.html#Semantics
The Research UNIX code just shrugged and listed such limits in the BUGS
section of the man page, if they noticed at all. E.g. grep would fail
if input file lines were wider than some X columns.
As a result, POSIX-1.2017 standardized that "text files" input to any
command could not have lines longer than {LINE_MAX}, defaulting to 2048
bytes:
https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_403
Without including such a caveat, UNIX could not be considered a
POSIX-conforming system!
John
More information about the cryptography
mailing list