From owner-freebsd-questions Tue Feb 20 15:34:38 2001 Delivered-To: freebsd-questions@freebsd.org Received: from dsl-64-193-218-89.telocity.com (dsl-64-193-218-89.telocity.com [64.193.218.89]) by hub.freebsd.org (Postfix) with SMTP id F2B1F37B491 for ; Tue, 20 Feb 2001 15:34:34 -0800 (PST) (envelope-from lucas@slb.to) Received: (qmail 23308 invoked by uid 1000); 20 Feb 2001 23:34:55 -0000 Date: Tue, 20 Feb 2001 17:34:55 -0600 From: Lucas Bergman To: Arthur Boynagryan Cc: freebsd-questions@freebsd.org Subject: Re: OT: Alternative to gets() function? Message-ID: <20010220173455.A3510@billygoat.slb.to> Reply-To: lucas@slb.to References: <000001c09b01$b1865fa0$4a07a8c0@user0000011909> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000001c09b01$b1865fa0$4a07a8c0@user0000011909>; from boynagar@armentel.com on Tue, Feb 20, 2001 at 09:55:12AM +0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi -- > I've been reading man page for gets() and fgets() and noticed the > following: > > "Since it is usually impossible to ensure that the next input line > is less than some arbitrary length, and because overflowing the > input buffer is almost invariably a security violation, programs > should NEVER use gets()." > > What can you recommend instead of gets()? Does this also apply to > fgets()? I'm mostly interested in fgets(). fgets() is safe, provided you're careful about its second parameter. Observe that the following programs are equivalent except that the first has undefined behavior (read: seg fault) if given a line of >99 characters on standard input. In the second program, a line of >99 characters is truncated past the 99th character: #include int main() { char s[100]; gets(s); return 0; } #include int main() { char s[100]; fgets(s,99,stdin); return 0; } Lucas To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message