A
Army1987
#include <stdio.h>
int main() { while (1) putchar( "!" ); return /* ha! */ 0; }
you meant putchar('!')?
#include <stdio.h>
int main() { while (1) putchar( "!" ); return /* ha! */ 0; }
¬a\/b wrote, On 27/04/07 08:56:
<snip more stuff based on this completely false statement>
Wrong. fgets is defined by the C standard as returning a null pointer on
failure or a pointer to the start of the buffer on success. I suggest
you go back to school.
Tor said:jacob navia wrote:
[...]
This is a very positive development. After all those discussions,
reason prevailed and we got rid of that wart.
These days, there should be no experienced C programmers using gets()
in security sensitive programs anyway, so I don't see the big fuzz about
this.
I have done a number of C code audits in safety-critical systems, and never
seen a single gets(), and didn't expect such a trivial bug either.
Who cares what students use?
I don't.
Tor said:jacob navia wrote:
[...]This is a very positive development. After all those discussions,
reason prevailed and we got rid of that wart.
These days, there should be no experienced C programmers using gets()
in security sensitive programs anyway, so I don't see the big fuzz about
this.
I have done a number of C code audits in safety-critical systems, and never
seen a single gets(), and didn't expect such a trivial bug either.
Who cares what students use?
I don't.
Hey, I use gets() all the time in "quick and dirty"
programs. I have some programs that take data in
flat files and create scripts of SQL statements to
add the data to a MySQL database. I just can *not*
see how gets() is going to cause me a security problem
here.
Also, in writing an adventure game or any other game
without secure access, that using gets() is okay.
But gcc still dogs me about using gets(). :-( I could
deal with a warning message, but gcc incorporates code
to print out a nasty message *every* time I run my code.
No fair... ;-)
Charles said:Tor said:jacob navia wrote:
[...]
This is a very positive development. After all those discussions,
reason prevailed and we got rid of that wart.
These days, there should be no experienced C programmers using gets()
in security sensitive programs anyway, so I don't see the big fuzz about
this.
I have done a number of C code audits in safety-critical systems, and never
seen a single gets(), and didn't expect such a trivial bug either.
Who cares what students use?
I don't.
Hey, I use gets() all the time in "quick and dirty"
programs. I have some programs that take data in
flat files and create scripts of SQL statements to
add the data to a MySQL database. I just can *not*
see how gets() is going to cause me a security problem
here.
Also, in writing an adventure game or any other game
without secure access, that using gets() is okay.
But gcc still dogs me about using gets(). :-( I could
deal with a warning message, but gcc incorporates code
to print out a nasty message *every* time I run my code.
No fair... ;-)
Charles Richmond wrote:
gcc incorporates no such code, and if your particular standard C
library implementation does, it's broken. See if an upgrade is
available.
Flash said:Harald van Dijk wrote, On 29/04/07 09:49:
It is, however, broken in a very useful way IMHO.
Army1987 said:you meant putchar('!')?
Malcolm said:Except it would be this:
int main()
{
for(i=0;i<(size_t) -1;i++)
putchar("!");
/* at this point sytem wraps round */
/* now we can put up to 127 bytes exploit code at an illegal point in
memory*/
printf("Uggleuggle^&*!!runme\n");
return 0;
}
Chris Dollin said:What would be this?
I can't imagine why you think something would be that. (Well, I can,
but the presented options are inappropriate for this newsgroup; I'm
already worried enough about SCORPION STARE.)
And fgets() is in practise too difficult for any but the best programmers
to
use safely.
It is pretty good stab at using fgets() safely, but in fact it isn't right.
When we supply a line of greater that SIZE_MAX bytes the "size" variable
will wrap.
On most machines SIZE_MAX also indicates the total memory available
to the machine, so malloc() can only fail long before this point is
reached, and the function is OK, as long as the caller remembers to
flush the input on fail to deal with the half-read data. However if that
is not the case it asks for what is probably a block of zero bytes, then
write a string to it, i.e. undefined behaviour. Depending on the realloc
internals, by putting strategically-placed NULs in the initial input,
which fgets() will then read (another problem with the code) we can then
direct a 127-byte exploit string to where we want in memory.
So the answer Michael Brennan's question is, no, the code isn't safe,
although it is acceptable for everyday use in a non-security
non-portable environment.
And in this case it could on some platforms lead to UB and possibly open aFlash Gordon said:Malcolm McLean wrote, On 29/04/07 18:26:
I would say that ANY process which has an effectively unbounded buffer
growth is not secure, since it can be used for a denial of service attack.
No it doesn't. It's one data point.In any case, one programmer not getting it quite right is not proof that
only the best programmers can use fgets safely.
Harald van Dijk said:I do not agree. If a build-time warning is issued, code using gets
will continue to function properly. A conforming implementation can do
this. If a build-time error is issued, code using gets will need to be
changed. A conforming implementation cannot do this, but for this I
might agree that it's broken in a somewhat useful way, though I would
still not use it. If a run-time warning is issued, code using gets
will continue to build, but run incorrectly. A conforming
implementation cannot do this, and the problem may well be caught too
late to be useful.
Charles Richmond said:Hey, I use gets() all the time in "quick and dirty"
programs. I have some programs that take data in
flat files and create scripts of SQL statements to
add the data to a MySQL database. I just can *not*
see how gets() is going to cause me a security problem
here.
Also, in writing an adventure game or any other game
without secure access, that using gets() is okay.
But gcc still dogs me about using gets(). :-( I could
deal with a warning message, but gcc incorporates code
to print out a nasty message *every* time I run my code.
No fair... ;-)
Keith said:A build-time warning does not violate the standard. An implementation
can warn about anything it likes.
As for a run-time warning, it's certainly true that such an
implementation is non-conforming. Flash didn't say otherwise; he
merely said that it's *usefully* non-conforming.
A build-time warning does not violate the standard. An implementation
can warn about anything it likes.
As for a run-time warning, it's certainly true that such an
implementation is non-conforming. Flash didn't say otherwise; he
merely said that it's *usefully* non-conforming.
And in this case it could on some platforms lead to UB and possibly open
a hole for exploit code to be introduced.
The denial of service could be more severe than that. Since he grows by
the length of the string we can stall the process for as long as we want
by passing it nul bytes. So we can grab as much memory as we want and
then keep it for as long as we want.
No it doesn't. It's one data point.
Flash said:Keith Thompson wrote, On 29/04/07 20:16:
Keith is entirely correct, both about what I said and more importantly
what I meant.
In fact, if I knew how to enable such a message on my systems I *would*
enable it and remove any SW that used gets. I would especially like such
a warning enabled on the various servers I have some control over, since
I take security of servers very seriously and getting rid of
fundamentally unsafe SW is a good step towards security.
I know, I explained why I do not think this is useful. I'm sorry if I
didn't word my message clearly enough, but I meant that I would rather
have an implementation not provide gets() at all than include a
defective one.
Flash said:Harald van Dijk wrote, On 29/04/07 20:57:
An implementation not providing gets is just as broken as far as the
standard is concerned as an implementation providing a broken one.
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.