From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=BAYES_00,FREEMAIL_FROM, REPLYTO_WITHOUT_TO_CC autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107f24,582dff0b3f065a52 X-Google-Attributes: gid107f24,public X-Google-Thread: 109fba,582dff0b3f065a52 X-Google-Attributes: gid109fba,public X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-Thread: 1014db,582dff0b3f065a52 X-Google-Attributes: gid1014db,public X-Google-ArrivalTime: 2001-08-04 23:00:38 PST Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!news-spur1.maxwell.syr.edu!news.maxwell.syr.edu!news.stealth.net!204.127.161.2.MISMATCH!wn2feed!worldnet.att.net!135.173.83.71!wnfilter1!worldnet-localpost!bgtnsc04-news.ops.worldnet.att.net.POSTED!not-for-mail Message-ID: <3B6CD64F.E96911F8@yahoo.com> From: CBFalconer Reply-To: cbfalconer@worldnet.att.net Organization: Ched Research X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 Newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++,comp.lang.functional Subject: Re: How Ada could have prevented the Red Code distributed denial ofservice attack. References: <3B6555ED.9B0B0420@sneakemail.com> <87n15lxzzv.fsf@deneb.enyo.de> <3B672322.B5EA1B66@home.com> <5ee5b646.0108010949.5abab7fe@posting.google.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Sun, 05 Aug 2001 06:00:38 GMT NNTP-Posting-Host: 12.90.168.23 X-Complaints-To: abuse@worldnet.att.net X-Trace: bgtnsc04-news.ops.worldnet.att.net 996991238 12.90.168.23 (Sun, 05 Aug 2001 06:00:38 GMT) NNTP-Posting-Date: Sun, 05 Aug 2001 06:00:38 GMT Xref: archiver1.google.com comp.lang.ada:11304 comp.lang.c:72256 comp.lang.c++:80036 comp.lang.functional:7309 Date: 2001-08-05T06:00:38+00:00 List-Id: David Lee Lambert wrote: > ... snip ... > > In C, one has to think ahead a little in some situations, but it's still > quite straightforward to write overflow-free code once one has been > introduced to the right functions: fgets(), snprintf(), (non-ANSI) > strlcpy()... Oh, how about: #define BUF1SZ 10 ... #define BUF2SZ 20 ... char buff1[BUF1SZ] ... fgets(buf1, BUF2SZ, stdin); and I have no idea where the error will hit. The equivalent in any range checking language will hit at the read, if not at the compile. Before you say the programmer shouldn't have done that, consider the thousands of lines that may be represented by the ... and that the statements may even be in different files. -- Chuck F (cbfalconer@yahoo.com) (cbfalconer@XXXXworldnet.att.net) (Remove "XXXX" from reply address. yahoo works unmodified) mailto:uce@ftc.gov (for spambots to harvest)