:: Re: [DNG] Systemd Shims
Top Page
Delete this message
Reply to this message
Author: Edward Bartolo
Date:  
To: Rainer Weikusat
CC: dng
Subject: Re: [DNG] Systemd Shims
Effectively, you are telling me don't play Russian Roulette with C.
But I like powerful languages that leave the coder in the wilderness
without any hand holding, and C is definitely like that. That is why I
am motivated to use it. The power inherent in C is due to it not
getting in the way of the coder, and I like that.



On 19/08/2015, Rainer Weikusat <rainerweikusat@???> wrote:
> Rainer Weikusat <rainerweikusat@???> writes:
>
>> Edward Bartolo <edbarx@???> writes:
>>> I am not assuming anything and understand the risks of buffer
>>> overflows. The first step I am taking is to make the code function.
>>> The second step is further debug it until it behaves properly and the
>>> third step is to correct any potential security issues.
>>
>> Realistically, the first step is 'make the code function', the second
>> step is 'graduate from university based on your thesis' and the 3rd was
>> called 'heartbleed', IOW, that's not going to happen in this way. If
>> you're doing string processing in C, try to do it correctly from the
>> start. That's much easier than retrofitting proper length/ size handling
>> onto
>> some working code.
>
> Example program showing a safe/ secure (and somewhat simplified)
> saveFile:
>
> --------
> #include <alloca.h>
> #include <stdio.h>
> #include <string.h>
>
> #define IFACE_TMPL \
>     "auto lo\n" \
>     "iface lo inet loopback\n\n" \
>     "iface wlan0 inet dhcp\n" \
>     "    wpa-ssid %s\n" \
>     "    wpa-psk \"%s\"\n"

>
> #define IFACES_PATH "/tmp"
>
> static void saveFile(char* essid, char* pw) //argv[1], argv[2]
> {
>     char *path;
>     FILE *fp;
>     unsigned p_len, e_len;

>
>     p_len = strlen(IFACES_PATH);
>     e_len = strlen(essid);
>     path = alloca(p_len + e_len + 2);

>     
>     strcpy(path, IFACES_PATH);
>     path[p_len] = '/';
>     strcpy(path + p_len + 1, essid);

>     
>     fp = fopen(path, "ab+");
>     fprintf(fp, IFACE_TMPL, essid, pw);
>     fclose(fp);
> }

>
> int main(int argc, char **argv)
> {
>     saveFile(argv[1], argv[2]);
>     return 0;
> }
> _______________________________________________
> Dng mailing list
> Dng@???
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng

>