Re: [Lit.] Buffer overruns

From: Douglas A. Gwyn (DAGwyn_at_null.net)
Date: 12/29/04 

Date: Wed, 29 Dec 2004 12:27:04 -0600

Paul Rubin wrote:
> "Douglas A. Gwyn" <DAGwyn@null.net> writes:
>>By my reasoning, anybody who switches word processors in the hope
>>that the new one's spelling checker will fix his horrible spelling
>>is likely to be deluding himself that he has fixed his spelling problem.
> But if the documents are used an environment where the slightest
> spelling error can result in a security failure with potentially
> catastrophic consequences, it would be uncautious for even the most
> careful writers to use a word processor without a spelling checker.

I haven't been saying that a safety net isn't useful,
just that it doesn't get the job done.

> Using PL's without bounds checking in security applications is
> similarly uncautious, no matter how careful the programmer is.

There I disagree. The marginal utility of a tenth
safety net can be quite small when you already have
nine safety nets and a negligible chance of needing
any of them. If the right sort of care is taken in
the software development process, the circumstances
under which this particular safety net would come
into play are already reduced to an insignificant
level, compared with other opportunties for trouble.

Surely you don't think that code like
        byte_t in[80], out[80], key[20];
        // ...
        encrypt(in, out, 180, key, 20);
where the 180 is the buffer length, would pass any
competent code or security review. So why should the
very same mistake using variables instead of constants
pass such a review? The problem is the lack of a
competent review, not the PL.
Note: I wouldn't recommend such simplistic buffer
design anyway, but I'm keeping the example simple
to reduce how much has to be understood.

Relevant Pages

  • Re: [Lit.] Buffer overruns
    ... anybody who switches word processors in the hope ... >>that the new one's spelling checker will fix his horrible spelling ... > careful writers to use a word processor without a spelling checker. ...
    (sci.crypt)
  • Re: [Lit.] Buffer overruns
    ... anybody who switches word processors in the hope ... > that the new one's spelling checker will fix his horrible spelling ... careful writers to use a word processor without a spelling checker. ...
    (sci.crypt)
  • Re: Edjukashun Edjukashun Edjukashun
    ... "Buckinghamshire Chilterns University College" (formerly "High Wycombe ... It worries me that we are admitting people to Universities who cannot spell correctly when writing. ... I know that I find it highly annoying when new recruits are unable to produce accurately spelt documents (even when we give them word processors and spelling checkers) but they are rarely of University capability. ...
    (uk.media.radio.archers)
  • Re: iPhoto - Edit Roll Descriptions?
    ... >> If I'm understanding what you're trying to do correctly, ... a single click places the cursor. ... You may not want that on word processors, ... spelling, insert a place name, or add more info at the end -- then having ...
    (comp.sys.mac.misc)
  • Re: If your left brain should decide to die ...
    ... nomenclature "spelling checker". ... I don't need a spelling checker. ... know how to spell a word, but I know that I don't know, so I ... Unless I commit a typo. ...
    (alt.usage.english)
Quantcast