Re: A way to prevent buffer overflow exploits?

"Richard Matthias" <richard@exaflop.org>
19 Aug 1998 16:19:44 -0400

          From comp.compilers
Related articles
[10 earlier articles]
Re: A way to prevent buffer overflow exploits? shriram@cs.rice.edu (Shriram Krishnamurthi) (1998-08-16)
Re: A way to prevent buffer overflow exploits? conway@cs.mu.OZ.AU (1998-08-16)
Re: A way to prevent buffer overflow exploits? genew@vip.net (1998-08-17)
Re: A way to prevent buffer overflow exploits? conway@cs.mu.OZ.AU (1998-08-17)
Re: A way to prevent buffer overflow exploits? chase@world.std.com (David Chase) (1998-08-19)
Re: A way to prevent buffer overflow exploits? eodell@pobox.com (1998-08-19)
Re: A way to prevent buffer overflow exploits? richard@exaflop.org (Richard Matthias) (1998-08-19)
Re: A way to prevent buffer overflow exploits? joachim.durchholz@munich.netsurf.de (Joachim Durchholz) (1998-08-22)
| List of all articles for this month |
From: "Richard Matthias" <richard@exaflop.org>
Newsgroups: comp.compilers
Date: 19 Aug 1998 16:19:44 -0400
Organization: Compilers Central
References: 98-07-242 98-07-246 98-08-014 98-08-029 98-08-081
Keywords: C, practice, comment

> [Yes and no. That's certainly the correct solution, but C and C++ give
> you no help at all in that regard, with routines like sprintf which
> will cheerily write arbitrarily long results and smash off the end of
> a buffer. -John]


The buffer overflow issue dates back to fundamental design deficiencies in
the original C streams library which was made part of ANSI-C almost
verbatim. Amazingly people are still re-implementing this 'broken
standard' without concern for its problems. Some years ago AT&T wrote a
new - far superior - streams library called sfio. It is documented in the
book Practical Reusable Unix Software (see
http://portal.research.bell-labs.com/orgs/ssr/book/reuse/). I gather reuse
of the sfio library is free (in the no-fee sense).


R.
[If only one could get it into the C standard. Actually, it looks like
the new standard will have stuff like snprintf which make it easier to
avoid buffer overflow problems, if only people will use them. -John]
--

Post a followup to this message

Return to the comp.compilers page.
Search the comp.compilers archives again.