At 11:41 PM -0400 3/20/09, Gary McGraw wrote: > once long ago I spilt a bottle of wine with dan geer
> we argued for hours about whether a buffer overflow was > a bug or a flaw. if you find one in a code pile (say, > caused by a local variable on the stack and a gets call) , > it is a bug. Or is it a flaw that the C stack grows in > an incredibly stupid way? That reasoning has a bit of not being able to see the forest for the trees. The root problem (and I do not care about the terminology) is that the C programming language promotes the use of uncounted strings. -- Larry Kilgallen _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
