From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID
	autolearn=no autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 109fba,df854b5838c3e14
X-Google-Attributes: gid109fba,public
X-Google-Thread: 10db24,fec75f150a0d78f5
X-Google-Attributes: gid10db24,public
X-Google-Thread: 1014db,df854b5838c3e14
X-Google-Attributes: gid1014db,public
X-Google-Thread: 103376,df854b5838c3e14
X-Google-Attributes: gid103376,public
From: c2a192@ugrad.cs.ubc.ca (Kazimir Kylheku)
Subject: Re: ANSI C and POSIX (was Re: C/C++ knocks the crap out of Ada)
Date: 1996/04/09
Message-ID: <4kf6drINN4pg@keats.ugrad.cs.ubc.ca>#1/1
X-Deja-AN: 146686871
references: <JSA.96Feb16135027@organon.com> <dewar.829054330@schonberg>
 <4ke0ciINNgg8@keats.ugrad.cs.ubc.ca> <EACHUS.96Apr9184019@spectre.mitre.org>
organization: Computer Science, University of B.C., Vancouver, B.C., Canada
newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++,comp.edu
Date: 1996-04-09T00:00:00+00:00
List-Id: <comp.lang.ada>

In article <EACHUS.96Apr9184019@spectre.mitre.org>,
Robert I. Eachus <eachus@spectre.mitre.org> wrote:
>
>    I hope that everyone following this thread knows that this
>"undefined" behavior lead to one of the security holes exploited by
>the Morris Internet worm.

No, this was something to do with gets being applied to an automatic buffer.
If you picture the downward growing stack on a Sun3 or VAX, imagine what you
can do if you can overrun a stack array variable with bytes that spell out
machine code. If you are clever, you can overwrite the buffer in such a way
that the return address on the stack is modified to jump to the other portions
of your array. This can be done thanks to absolute addressing on a machine with
virtual address spaces, where each process always starts out with the same
stack pointer value. Once you jump to your array, you have control of the
machine. You can do system calls galore---and if you are running under euid 0,
you are God.

I should try this under Linux just for fun.

The POSIX.1 standard was not even around then, by the way.

>    Undefined only means unusable in some contexts, and if the C read
>had a way to know the size of the buffer passed, that particular
>security hole would not have existed.

That much is true, modulo s/read/gets/

The read function has a way to know the buffer size, namely the nbytes
argument. (There is no read in C, by the way) The gets() function has no such
argument and should be avoided like the plague except in totally trivial,
makeshift programs or in debugging.

There are still some old-timer bugs that plague (commercial) UNIX: try typing a
!%s%s%s%s  command to the C shell (not tcsh, but the more crappy real one that
you actually _pay_ for when you buy a SVR4 unix).   It tries to tell you that
the %s%s%s%s event is not found in the history. But guess what? It uses
raw printf(), so the %s's get interpreted as format strings. The function looks
for non-existent arguments, resulting in strange behavior, like crap being
printed on the terminal.
--