At 11:41 PM -0400 3/20/09, Gary McGraw wrote:

> once long ago I spilt a bottle of wine with dan geer

> we argued for hours about whether a buffer overflow was
> a bug or a flaw.  if you find one in a code pile (say,
> caused by a local variable on the stack and a gets call) ,
> it is a bug.  Or is it a flaw that the C stack grows in
> an incredibly stupid way?

That reasoning has a bit of not being able to see the forest
for the trees.

The root problem (and I do not care about the terminology)
is that the C programming language promotes the use of
uncounted strings.
-- 
Larry Kilgallen
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

Reply via email to