*BSD News Article 33518


Return to BSD News archive

Xref: sserve comp.os.386bsd.questions:11906 comp.os.386bsd.development:2352 comp.os.386bsd.misc:2914
Path: sserve!newshost.anu.edu.au!harbinger.cc.monash.edu.au!msuinfo!agate!howland.reston.ans.net!gatech!swrinde!news.uh.edu!uuneo.neosoft.com!Starbase.NeoSoft.COM!nobody
From: peter@Starbase.NeoSoft.COM (Peter da Silva)
Newsgroups: comp.os.386bsd.questions,comp.os.386bsd.development,comp.os.386bsd.misc
Subject: Re: Why does FreeBSD 1.1.5 say gets() is unsafe?
Date: 29 Jul 1994 21:51:12 -0500
Organization: NeoSoft Internet Services   +1 713 684 5969
Lines: 22
Message-ID: <31cf70$3c@Starbase.NeoSoft.COM>
References: <30lrf3$2ii@acmez.gatech.edu> <311m2e$o33@agate.berkeley.edu> <jmonroyCtMGq2.IC6@netcom.com> <Ctn5yy.3I0@cs.vu.nl>
NNTP-Posting-Host: starbase.neosoft.com

In article <Ctn5yy.3I0@cs.vu.nl>, Kees J. Bot <kjb@cs.vu.nl> wrote:
>I don't have gets() in the C library on my system (Minix-386vm) at all.
>Any gets(buf) call that I may find is immediately replaced by:

>	result = fgets(buf, sizeof(buf), stdin);
>	*strchr(buf, '\n') = 0;

This can result in writing through the null pointer if reading from a zero
length file and the buffer is uninitialized, or on any eof if the buffer is
reinitialized, which will core dump on OSF/1 and generate enforcer hits on
the Amiga.

	if(result = fgets(buf, sizeof(buf), stdin))
		*strchr(buf, '\n') = 0;

>This makes options 3) and 4) impossible, because a NULL-dereference will
>occur if 'buf' is overrun causing a core dump.

Um, could you explain this statement? I honestly don't understand whether
you were intentionally creating that null dereference or not. fgets will
not overrun the buffer, and gets overrunning the buffer has unpredictable
results, not simply a null dereference.