X-Authentication-Warning:	delorie.com: mailnull set sender to djgpp-bounces using -f
From:	sean <sean AT NOSPAMplop DOT freeserve DOT co DOT uk>
Subject:	Re: String substitution to another
Newsgroups:	comp.lang.c,comp.os.msdos.djgpp,comp.lang.c++
Followup-To:	comp.lang.c
References:	<3C151123 DOT D1E94FE8 AT surfeu DOT fi> <3c149894 DOT 7181858 AT news DOT tiscali DOT nl> <9v2knf$htt$0 AT 216 DOT 39 DOT 135 DOT 9> <3C14CD57 DOT F9EEB80B AT iedu DOT com>
Lines:	18
Organization:	home
User-Agent:	KNode/0.4
MIME-Version:	1.0
Message-ID:	<N09R7.34870$ez6.4978669@news2-win.server.ntlworld.com>
Date:	Mon, 10 Dec 2001 20:41:36 +0000
NNTP-Posting-Host:	213.106.168.29
X-Complaints-To:	abuse AT ntlworld DOT com
X-Trace:	news2-win.server.ntlworld.com 1008016557 213.106.168.29 (Mon, 10 Dec 2001 20:35:57 GMT)
NNTP-Posting-Date:	Mon, 10 Dec 2001 20:35:57 GMT
To:	djgpp AT delorie DOT com
DJ-Gateway:	from newsgroup comp.os.msdos.djgpp
Reply-To:	djgpp AT delorie DOT com

Morris Dovey wrote:

> crashes. The worst possible result would be a hostile input /not/
> crashing the program; and causing the system to take destructive
> actions such as trashing the hard disk, erasing any NVRAMS, and
> sending insulting messages in your name to your boss.

Just a note to the OP, who might consider the above far-fetched:

Mr Dovey isn't being playful here (as in e.g. some of the more colourful 
descriptions of undefined behaviour you will find in this group).  If you 
use gets() to fill an auto buffer on a susceptible platform, an attacker 
can cause your program to execute arbitrary code by a well-known technique. 
There are people who spend their time searching for programs using gets() 
and disseminating exploits to do exactly this.  If you distribute a program 
using gets(), you should expect in due course that the people unfortunate 
enough to use it will suffer consequences as severe as he describes.

- Raw text -