From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham
	autolearn_force=no version=3.4.4
X-Google-Language: ENGLISH,ASCII-7-bit
X-Google-Thread: 103376,bc1361a952ec75ca
X-Google-Attributes: gid103376,public
X-Google-ArrivalTime: 2001-08-01 17:57:13 PST
Path: 
 archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!newsfeeds.belnet.be!news.belnet.be!uni-erlangen.de!news-nue1.dfn.de!news-han1.dfn.de!news.fh-hannover.de!news.cid.net!news.enyo.de!news1.enyo.de!not-for-mail
From: Florian Weimer <fw@deneb.enyo.de>
Newsgroups: comp.lang.ada
Subject: Re: How Ada could have prevented the Red Code distributed denial of
 service attack.
Date: Thu, 02 Aug 2001 03:09:21 +0200
Organization: Enyo's not your organization
Message-ID: <87wv4nuv26.fsf@deneb.enyo.de>
References: <bebbba07.0107292308.d1192fc@posting.google.com>
 <slrn9ma7qp.nac.randhol@kiuk0156.chembio.ntnu.no>
 <3B6555ED.9B0B0420@sneakemail.com> <87n15lxzzv.fsf@deneb.enyo.de>
 <yecofq03kih.fsf@king.cts.com> <3B672322.B5EA1B66@home.com>
 <ppsemtojqkqsqpfvj1th3mae8b4vu1tg89@4ax.com>
 <tmfvrpmb575l80@corp.supernews.com>
 <5ee5b646.0108010949.5abab7fe@posting.google.com>
 <3b6885cf@news.sentex.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Xref: archiver1.google.com comp.lang.ada:11012
Date: 2001-08-02T03:09:21+02:00
List-Id: <comp.lang.ada>

hs@heaven.nirvananet (Hartmann Schaffer) writes:

> to be fair, afaik many implementations of the C library still contains
> the old getline(?) macro which is unsafe.  but the problem has been
> recognized for over 20 years now, everybody is strongly advised to use
> the (safe) fgetline, and afaik it is not in the standard any more.

Of course it's in the standard, of course it's not deprecated, of
course the security implications aren't mentioned.  Why should the C
standard bother with that?

strncpy() with completely bogus semantics is still there, too.

Regarding the subject line, I doubt that Ada would have made any
difference.  Quite a few providers were DDoSed because of what I
consider a design error in routers used for IP accounting.  Ada
wouldn't have helped here, I'm afraid.

The other DoS aspect of the worm (weak PRNG without proper seed) was
corrected in a later version and would not have been avoided by using
Ada (see A.5.2(28)).

IMHO, the Code Red worm itself is extraordinarily harmless, in
particular the second version.