Date: Fri, 07 Mar 1997 09:03:54 -0500 (EST) From: "Jeffrey M. Metcalf" <jeffrey_m._metcalf@ccmail.bms.com> To: Zach Heilig <zach@blizzard.gaffaneys.com> Cc: questions@freebsd.org, metcalf@snet.net Subject: Re[2]: What does gets() unsafe question mean? Message-ID: <9702078577.AA857755172@ccgate0.bms.com>
next in thread | raw e-mail | index | archive | help
Thank You for the reply Zach,
I just wrote the following on a sun4
#include <stdio.h>
main() {
char buf[1];
puts("Enter lots of text and press enter:");
gets(buf);
printf("\n\n");
puts(buf);
}
Entering a huge line of text results in the _exact_ same huge line of
text on stdout. Why should this be if buf was only declared to
be char[1]? Is it because gets is allowing me to put characters
into memory sequentially and then when buf (pointer to the first
character of array, buf[0]) is returned via puts, I get everything
until the first newline? Or does SunOS have its own implementation
of gets()/puts()? Incidentally, I don't get the warning message
from SunOS.
You mentioned gets() creates problems and security holes with setuid
programs. Given the result in the above paragraph from SunOS, is it
reasonable to assume that a non setuid program that uses gets() on
SunOS is reasonably safe if the program is well written? Or is there
much more involved here?
Lastly, is the fgets() function call the much better (and safer)
choice to get a line from stream? Since it reads 'at most n chars'
from stream, I presume it is safer due to more controllable
boundary conditions. Am I correct?
Thank You,
J. Metcalf
______________________________ Reply Separator _________________________________
Subject: Re: What does gets() unsafe question mean?
Author: Zach Heilig <zach@blizzard.gaffaneys.com> at *Internet*
Date: 3/7/97 3:24 AM
>>>>> "Jeffrey" == Jeffrey M Metcalf <metcalf@snet.net> writes:
> Hello, I recently wrote a little C program which uses the stdio.h
> function gets(). I compiled and ran it under FreeBSD and I get..
> warning: this program uses gets(), which is unsafe.
> What exactly does this mean? Why is it unsafe? If possible, can
> any replies be sent as an e-mail to the above address?
Compile this small program:
#include <stdio.h>
main() {
char buf[1];
puts("Enter lots of text and press enter:");
gets(buf);
}
Run it, and follow instructions. This will usually crash an MS-DOS
machine, and it crashed the pty driver on one version of unix I
tried it on (it was awhile ago, and I don't remember which machine
it happened on). I had to telnet in from another box, and kill the
processes attached to that terminal so it would log out and reset.
This sort of programming has been the cause of far too many security
holes in sendmail and many other setuid programs.
--
Zach Heilig (zach@blizzard.gaffaneys.com) | ALL unsolicited commercial email
Support bacteria -- it's the only | is unwelcome. I avoid dealing
form of culture some people have! | with companies that email ads.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9702078577.AA857755172>