:: Re: [DNG] Systemd Shims
トップ ページ
このメッセージを削除
このメッセージに返信
著者: dr.klepp
日付:  
To: dng
題目: Re: [DNG] Systemd Shims
Am Mittwoch, 19. August 2015 schrieb Edward Bartolo:
> Effectively, you are telling me don't play Russian Roulette with C.
> But I like powerful languages that leave the coder in the wilderness
> without any hand holding, and C is definitely like that. That is why I
> am motivated to use it. The power inherent in C is due to it not
> getting in the way of the coder, and I like that.
>
>
>
> On 19/08/2015, Rainer Weikusat <rainerweikusat@???> wrote:
> > Rainer Weikusat <rainerweikusat@???> writes:
> >
> >> Edward Bartolo <edbarx@???> writes:
> >>> I am not assuming anything and understand the risks of buffer
> >>> overflows. The first step I am taking is to make the code function.
> >>> The second step is further debug it until it behaves properly and the
> >>> third step is to correct any potential security issues.
> >>
> >> Realistically, the first step is 'make the code function', the second
> >> step is 'graduate from university based on your thesis' and the 3rd was
> >> called 'heartbleed', IOW, that's not going to happen in this way. If
> >> you're doing string processing in C, try to do it correctly from the
> >> start. That's much easier than retrofitting proper length/ size handling
> >> onto
> >> some working code.
> >
> > Example program showing a safe/ secure (and somewhat simplified)
> > saveFile:
> >
> > --------
> > #include <alloca.h>
> > #include <stdio.h>
> > #include <string.h>
> >
> > #define IFACE_TMPL \
> >     "auto lo\n" \
> >     "iface lo inet loopback\n\n" \
> >     "iface wlan0 inet dhcp\n" \
> >     "    wpa-ssid %s\n" \
> >     "    wpa-psk \"%s\"\n"

> >
> > #define IFACES_PATH "/tmp"
> >
> > static void saveFile(char* essid, char* pw) //argv[1], argv[2]
> > {
> >     char *path;
> >     FILE *fp;
> >     unsigned p_len, e_len;

> >
> >     p_len = strlen(IFACES_PATH);
> >     e_len = strlen(essid);
> >     path = alloca(p_len + e_len + 2);

> >     
> >     strcpy(path, IFACES_PATH);
> >     path[p_len] = '/';
> >     strcpy(path + p_len + 1, essid);

> >     
> >     fp = fopen(path, "ab+");
> >     fprintf(fp, IFACE_TMPL, essid, pw);
> >     fclose(fp);
> > }

> >
> > int main(int argc, char **argv)
> > {
> >     saveFile(argv[1], argv[2]);
> >     return 0;
> > }
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

> >
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
>



You might want to do some error checking here :-)
> > path = alloca(p_len + e_len + 2);
> >     strcpy(path + p_len + 1, essid);



--
Please do not email me anything that you are not comfortable also sharing with the NSA.