Re: Stack growth direction to thwart buffer overflow attacks

phn_at_icke-reklam.ipsec.nu
Date: 08/19/03 

Date: Tue, 19 Aug 2003 15:42:34 +0000 (UTC)

In comp.security.misc Frank Cusack <fcusack@fcusack.com> wrote:
> On Tue, 19 Aug 2003 07:57:42 +0000 (UTC) phn@icke-reklam.ipsec.nu wrote:
>> In comp.security.misc Frank Cusack <fcusack@fcusack.com> wrote:
>>> On Sat, 16 Aug 2003 13:05:20 -0400 Tony Nelson <tonynlsn@shore.net> wrote:
>>>> Surely not. I prefer to use:
>>>>
>>>> target[0] = 0;
>>>> strncat(target,source,sizeof(target));
>>>>
>>>> strncat puts a NUL at the end of the string.
>>
>>> No, it doesn't. This is a prime example of what I think is a worse
>>> problem than the wrong language (C), it's not understanding how to
>>> use the API.
>>
>> Quoting from FreeBSD's manpage for strncat(3) :
> ...

> FreeBSD is not the standard. Prior to C99, strn* implemenatations were
> at the implementor's whim. Ahh ... that bit of info might shed some
> light on why it stinks. C99 may have tried to accomodate the various
> de facto implementations already in existence, rather than DTRT.

Frankly i do not care about 'C99' since they don't deliver any software.
What i need comes from distributors, thats where i care.

> If you want to write correct programs, you cannot refer to vendor
> documentation for standard libraries as your baseline. You have to
> start with the standard docs (although H&S or K&R generally suffice)
> and then make variations for each platform.

> It just so happens that I am very aware of strn* problems. Many (most?)
> aren't. You shouldn't have to be a friggin expert to be able to use
> the language safely. With C, you do have to be an expert.

> I'm sure you yourself are an experienced programmer. Only someone of
> some reasonable level of knowledge would quote a manpage back to me.
> And even you don't know how to use strn* correctly. See how hard it
> is?

Well, selecting your vendor is an art. Noone forces yoo to use
obsolete vendors faulty implementations.

>>> Why strn* were designed so poorly is another question.
>>
>> Maybe some reading will make this clear ?

> Reading of what? C99 committee member's minds?

ANSI is getteing less and less importence, Stallman and Thorvalds get more.

> /fc 

-- 
Peter Håkanson         
        IPSec  Sverige      ( At Gothenburg Riverside )
           Sorry about my e-mail address, but i'm trying to keep spam out,
	   remove "icke-reklam" if you feel for mailing me. Thanx.

Relevant Pages

  • Re: Stack growth direction to thwart buffer overflow attacks
    ... Frankly i do not care about 'C99' since they don't deliver any software. ... You shouldn't have to be a friggin expert to be able to use ... obsolete vendors faulty implementations. ...
    (comp.security.misc)
  • Re: CERT C Secure Coding Standard - last call for reviewers
    ... GNU doesn't care about the language anymore. ... At the very least one change between gcc 4.2 and gcc 4.3 is that inline functions are no longer broken and gcc 4.3 was release March 5th this year. ... You say you care yet you have not finished implementing C99 in your compiler yet. ... So MS are still saying they will not implement C99 because there is not demand unlike GNU who have at least implemented most of it yet MS are the ones interested in C? ...
    (comp.lang.c)
  • Re: help a beginner decide
    ... that MS appears to care nothing about ... C99 is the utter destruction of a decent language. ... that nobody is willing to implement. ... Randy Howard ...
    (comp.programming)
  • Re: Stack growth direction to thwart buffer overflow attacks
    ... >> Frankly i do not care about 'C99' since they don't deliver any software. ... Because there are standards ... > and with little variation can write for any unix OS. ...
    (comp.security.misc)
  • Re: Stack growth direction to thwart buffer overflow attacks
    ... >> Frankly i do not care about 'C99' since they don't deliver any software. ... Because there are standards ... > and with little variation can write for any unix OS. ...
    (comp.security.unix)