Effectively, you are telling me don't play Russian Roulette with C. But I like powerful languages that leave the coder in the wilderness without any hand holding, and C is definitely like that. That is why I am motivated to use it. The power inherent in C is due to it not getting in the way of the coder, and I like that.
On 19/08/2015, Rainer Weikusat <[email protected]> wrote: > Rainer Weikusat <[email protected]> writes: > >> Edward Bartolo <[email protected]> writes: >>> I am not assuming anything and understand the risks of buffer >>> overflows. The first step I am taking is to make the code function. >>> The second step is further debug it until it behaves properly and the >>> third step is to correct any potential security issues. >> >> Realistically, the first step is 'make the code function', the second >> step is 'graduate from university based on your thesis' and the 3rd was >> called 'heartbleed', IOW, that's not going to happen in this way. If >> you're doing string processing in C, try to do it correctly from the >> start. That's much easier than retrofitting proper length/ size handling >> onto >> some working code. > > Example program showing a safe/ secure (and somewhat simplified) > saveFile: > > -------- > #include <alloca.h> > #include <stdio.h> > #include <string.h> > > #define IFACE_TMPL \ > "auto lo\n" \ > "iface lo inet loopback\n\n" \ > "iface wlan0 inet dhcp\n" \ > " wpa-ssid %s\n" \ > " wpa-psk \"%s\"\n" > > #define IFACES_PATH "/tmp" > > static void saveFile(char* essid, char* pw) //argv[1], argv[2] > { > char *path; > FILE *fp; > unsigned p_len, e_len; > > p_len = strlen(IFACES_PATH); > e_len = strlen(essid); > path = alloca(p_len + e_len + 2); > > strcpy(path, IFACES_PATH); > path[p_len] = '/'; > strcpy(path + p_len + 1, essid); > > fp = fopen(path, "ab+"); > fprintf(fp, IFACE_TMPL, essid, pw); > fclose(fp); > } > > int main(int argc, char **argv) > { > saveFile(argv[1], argv[2]); > return 0; > } > _______________________________________________ > Dng mailing list > [email protected] > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
