[11134] in cryptography@c2.net mail archive
Re: It's Time to Abandon Insecure Languages
daemon@ATHENA.MIT.EDU (Matthew Byng-Maddick)
Fri Jul 19 13:27:51 2002
Date: Fri, 19 Jul 2002 09:21:39 +0100
From: Matthew Byng-Maddick <cryptography@lists.colondot.net>
To: cryptography@wasabisystems.com
In-Reply-To: <Pine.LNX.4.40.0207181305280.32235-100000@newbolt.sonic.net>
Mail-Copies-To: never
On Thu, Jul 18, 2002 at 01:08:55PM -0700, bear wrote:
> Agreed. And I particularly like Scheme. However, it's also not
> hard to compile your C code with bounds checking turned on if you're
> willing to sacrifice maybe a few things you shouldn't be using anyay,
> so it's pretty inexcusable IMO to still be having buffer overflows.
Erm, what things do you think you can sacrifice? Pointer arithmetic,
perhaps, except that it's a fairly fundamental part of C. The problems
of buffer overflows are slightly screwy. Can you tell me, for example,
what the length of s needs to be on
a) a 32-bit machine
b) a 64-bit machine
and notice that most people don't even consider this.
sprintf(s,"%l",long_val);
And, how big (on the same platforms) is:
sprintf(s,"%lf",double_val);
You should also note that snprintf(3) is widely regarded as non-portable
due to its non-existence on many platforms.
Most code is susceptible to this kind of thing, because people don't
necessarily know to look for it.
MBM
--
Matthew Byng-Maddick <mbm@colondot.net> http://colondot.net/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
