From owner-freebsd-questions  Mon Oct  2 11:53:45 1995
Return-Path: owner-questions
Received: (from root@localhost)
          by freefall.freebsd.org (8.6.12/8.6.6) id LAA15008
          for questions-outgoing; Mon, 2 Oct 1995 11:53:45 -0700
Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.211])
          by freefall.freebsd.org (8.6.12/8.6.6) with ESMTP id LAA15001
          for <questions@freebsd.org>; Mon, 2 Oct 1995 11:53:42 -0700
Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id LAA22182; Mon, 2 Oct 1995 11:46:50 -0700
From: Terry Lambert <terry@lambert.org>
Message-Id: <199510021846.LAA22182@phaeton.artisoft.com>
Subject: Re: If not gets(), then what?
To: olsenc@ichips.intel.com
Date: Mon, 2 Oct 1995 11:46:50 -0700 (MST)
Cc: questions@freebsd.org
In-Reply-To: <9510021814.AA35311@dtt034.intel.com> from "olsenc@ichips.intel.com" at Oct 2, 95 11:14:13 am
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 632       
Sender: owner-questions@freebsd.org
Precedence: bulk

> I have a program that uses gets(), and FreeBSD complains about it.
> I read the manpage on gets(), and it says it's dangerous, but yet
> it doesn't mention any alternatives!
> 
> Suggestions, recommendations, testimonials, confessions?

Use fgets( buf, XXX, stdin) in place of gets( buf).  Replace XXX with the
size of buf.

The "danger" is in the use of extremely long input lines to overflow the
buffer and rewrite the stack.

You rememebr the internet worm?  This was the fingerd attack.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.