X-Authentication-Warning: delorie.com: mailnull set sender to djgpp-bounces using -f
From: info AT hoekstra-uitgeverij DOT nl (Richard Bos)
Newsgroups: comp.lang.c,comp.os.msdos.djgpp,comp.lang.c++
Subject: Re: String substitution to another
Date: Mon, 10 Dec 2001 16:58:14 GMT
Organization: Go wash your mouth.
Lines: 34
Message-ID: <3c14e81b.6578878@news.tiscali.nl>
References: <3C151123 DOT D1E94FE8 AT surfeu DOT fi> <3c149894 DOT 7181858 AT news DOT tiscali DOT nl> <9v2knf$htt$0 AT 216 DOT 39 DOT 135 DOT 9>
NNTP-Posting-Host: vp219-199.worldonline.nl
X-Trace: reader1.tiscali.nl 1008003130 426 195.241.219.199 (10 Dec 2001 16:52:10 GMT)
X-Complaints-To: newsmaster AT tiscali DOT nl
NNTP-Posting-Date: Mon, 10 Dec 2001 16:52:10 +0000 (UTC)
X-Newsreader: Forte Free Agent 1.21/32.243
To: djgpp AT delorie DOT com
DJ-Gateway: from newsgroup comp.os.msdos.djgpp
Reply-To: djgpp AT delorie DOT com

Aaron Evans <ahde AT oz DOT net> wrote:

> Richard Bos wrote:
> 
> > That's what people thought before the Internet worm struck, yes. Believe
> > you me: every single use of gets() is a mistake. Sooner or later, you
> > _will_ get bitten by it.
> 
> how is
> 
> gets(filename) || length > MAXLINELENGTH
> 
> more dangerous than
> 
> fgets (strline, MAXLINELENGTH, fileptr);

fgets() will read MAXLINELENGTH characters at most, and stop reading
when it reaches its limit. gets(), OTOH, will stop at nothing but a
'\n'. If you feed it more input than it has memory for, it will merrily
(try to) write beyond the memory it is allowed to write in, overwriting
what was already there.
If you're lucky, that's just another string variable, leading to
semi-obvious junk. If you're really lucky, it's an address, leading to a
very obvious crash. If you're unlucky, gets() could overwrite vital
data, in a way that you won't detect until you've already used them. If
you're really unlucky, those vital data contain your length variable,
which could make your check for buffer overflow never even evaluate to
true...
In all these cases, though, the damage is done during the gets() call.
By the time you get to check for overflow, the damage has already been
done, and there's nothing you can do to stop it being done, because
gets() just does not check anything. fgets() does.

Richard