Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!news.Hawaii.Edu!ames!elroy.jpl.nasa.gov!swrinde!cs.utexas.edu!rutgers!att-out!oucsboss!oucsace!sadkins From: sadkins@bigbird.cs.ohiou.edu (Scott W. Adkins) Newsgroups: comp.os.386bsd.questions Subject: Re: Using gets() [ Was Re: nn ] Message-ID: <1993Jul19.005949.28286@oucsace.cs.ohiou.edu> Date: 19 Jul 93 00:59:49 GMT References: <1993Jul17.203914.25267@fwi.uva.nl> <229qig$53k@pdq.coe.montana.edu> <OLEG.93Jul17185604@gd.cs.CSUFresno.EDU> Sender: usenet@oucsace.cs.ohiou.edu (Network News Poster) Organization: Ohio University CS Dept., Athens Lines: 28 In article <OLEG.93Jul17185604@gd.cs.CSUFresno.EDU> oleg@gd.cs.CSUFresno.EDU (Oleg Kibirev) writes: > >Not to start another religious war... There is nothing wrong with using gets >if there is no good reason for input to be longer than some limit. Like, a >response to a yes/no question is very unlikely to be longer than 8 characters. >If a user wants to break the program, he is welcome to do so (unless it's suid >or a daemon). I would just compile nn with my own version of gets: But it *is* a problem. Isn't that how the internet worm tooks seeds and kind of ran amuck various systems? Essentially, you have no control of what is located *after* the buffer of memory that the keyboard input is supposedly being written too. If the user decides to overwrite the buffer into, maybe code space, then all kind of neat things could happen. But, as I reread what you said, at least damage would be minimal if the program is not suid or a daemon... but still, the idea is to replace gets() so that it is never used. The replacement function that was given above (except, I kind of delete it) and other versions previously posted are the right idea (if they truly work). Maybe somebody should send mail to the author's of nn about it so that maybe it will be officially fixed? Scott -- Scott W. Adkins Internet: sadkins@ohiou.edu ~~~~~~~~~~~~~~~ ak323@cleveland.freenet.edu Ohio University of Athens Bitnet: adkins@ouaccvma.bitnet