[TUHS] buffer overflow (Re: Happy birthday Morris worm

Dave Horsfall dave at horsfall.org
Wed Nov 13 08:54:35 AEST 2019

On Tue, 12 Nov 2019, Bakul Shah wrote:

> Unfortunately strcpy & other buffer overflow friendly functions are 
> still present in the C standard (I am looking at n2434.pdf, draft of 
> Sept 25, 2019). Is C really not fixable?

No; POSIX requires all sorts of broken functions be present, otherwise it 
is not compliant; heck, last I looked it even requires gets().  And let's 
not even mention pointers...  We are our own worst enemy.[*]

All is not lost, though; use strncpy() instead of strcpy() etc.  These 
days my first choice is Perl, despite it being bloated (I only use C if 
it's trivial or I need the speed).  I must look at Ruby, though...

Of if you were a Pogo fan, "We have met the enemy, and he is us".

-- Dave

More information about the TUHS mailing list