From owner-freebsd-questions Fri Mar 7 06:45:10 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id GAA17013 for questions-outgoing; Fri, 7 Mar 1997 06:45:10 -0800 (PST) Received: from cliff.bms.com (cliff.bms.com [140.176.1.102]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id GAA16981 for ; Fri, 7 Mar 1997 06:45:03 -0800 (PST) Received: from ccgate0.bms.com by cliff.bms.com (PMDF V5.0-7 #15142) id <01IG7T12GT3K000EAI@cliff.bms.com>; Fri, 07 Mar 1997 09:41:31 -0500 (EST) Received: from ccMail by ccgate0.bms.com (SMTPLINK V2.11 PreRelease 4) id AA857755172; Fri, 07 Mar 1997 09:03:54 -0500 (EST) Date: Fri, 07 Mar 1997 09:03:54 -0500 (EST) From: "Jeffrey M. Metcalf" Subject: Re[2]: What does gets() unsafe question mean? To: Zach Heilig Cc: questions@freebsd.org, metcalf@snet.net Message-id: <9702078577.AA857755172@ccgate0.bms.com> Content-transfer-encoding: 7BIT Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Thank You for the reply Zach, I just wrote the following on a sun4 #include main() { char buf[1]; puts("Enter lots of text and press enter:"); gets(buf); printf("\n\n"); puts(buf); } Entering a huge line of text results in the _exact_ same huge line of text on stdout. Why should this be if buf was only declared to be char[1]? Is it because gets is allowing me to put characters into memory sequentially and then when buf (pointer to the first character of array, buf[0]) is returned via puts, I get everything until the first newline? Or does SunOS have its own implementation of gets()/puts()? Incidentally, I don't get the warning message from SunOS. You mentioned gets() creates problems and security holes with setuid programs. Given the result in the above paragraph from SunOS, is it reasonable to assume that a non setuid program that uses gets() on SunOS is reasonably safe if the program is well written? Or is there much more involved here? Lastly, is the fgets() function call the much better (and safer) choice to get a line from stream? Since it reads 'at most n chars' from stream, I presume it is safer due to more controllable boundary conditions. Am I correct? Thank You, J. Metcalf ______________________________ Reply Separator _________________________________ Subject: Re: What does gets() unsafe question mean? Author: Zach Heilig at *Internet* Date: 3/7/97 3:24 AM >>>>> "Jeffrey" == Jeffrey M Metcalf writes: > Hello, I recently wrote a little C program which uses the stdio.h > function gets(). I compiled and ran it under FreeBSD and I get.. > warning: this program uses gets(), which is unsafe. > What exactly does this mean? Why is it unsafe? If possible, can > any replies be sent as an e-mail to the above address? Compile this small program: #include main() { char buf[1]; puts("Enter lots of text and press enter:"); gets(buf); } Run it, and follow instructions. This will usually crash an MS-DOS machine, and it crashed the pty driver on one version of unix I tried it on (it was awhile ago, and I don't remember which machine it happened on). I had to telnet in from another box, and kill the processes attached to that terminal so it would log out and reset. This sort of programming has been the cause of far too many security holes in sendmail and many other setuid programs. -- Zach Heilig (zach@blizzard.gaffaneys.com) | ALL unsolicited commercial email Support bacteria -- it's the only | is unwelcome. I avoid dealing form of culture some people have! | with companies that email ads.