Return to the
comp.compilers page.
Search the
comp.compilers archives again.
| From: | eodell@pobox.com (Eric O'Dell) |
| Newsgroups: | comp.compilers |
| Date: | 13 Aug 1998 22:00:52 -0400 |
| Organization: | Compilers Central |
| References: | 98-07-242 98-07-246 98-08-014 98-08-029 |
| Keywords: | C, practice, comment |
On 4 Aug 1998 22:17:44 -0400, fjh@cs.mu.OZ.AU (Fergus Henderson)
wrote:
>A better approach is to use safer programming languages, especially
>for security-critical applications. Who ever heard of a buffer
>overflow exploit for a program written in Java, Sather, Haskell, or
>Mercury?
Maybe I'm missing something here, but aren't buffer overflows
completely preventable by simply not reading more data into the buffer
than it can contain? Sure, it's easier just to slurp a chunk of data
into any arbitrary buffer and make obeisances to whatever dark gods
mistaught your coding practices, but isn't that just, well...
laziness? It's *almost* understandable if you're writing a
non-critical application whose input is well-defined in advance, but
if your code is going to be exposed to end-users and the general
public, it's like slapping a "LOOT ME" sign across the front window of
the store during a riot.
IMHO, if this is a problem for your organization, it's a sign that
your hiring practices, and not your programming tools, are at fault.
--Eric
| Try Doubtful Encounter BBS: http://www.pobox.com/~eodell/discus |
[Yes and no. That's certainly the correct solution, but C and C++ give
you no help at all in that regard, with routines like sprintf which
will cheerily write arbitrarily long results and smash off the end of
a buffer. -John]
--
Return to the
comp.compilers page.
Search the
comp.compilers archives again.