Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Feb 2001 15:10:41 +0100
From:      mouss <usebsd@free.fr>
To:        Matt Dillon <dillon@earth.backplane.com>
Cc:        "Andrey Simonenko" <simon@comsys.ntu-kpi.kiev.ua>, freebsd-hackers@FreeBSD.ORG
Subject:   Re: Staticaly allocated buffers in library. Is it correct?
Message-ID:  <4.3.0.20010220150656.060411a0@pop.free.fr>
In-Reply-To: <200102192046.f1JKkl738082@earth.backplane.com>
References:  <Pine.BSF.4.21.0102171202110.400-100000@scorpion.cosmos.all.net> <96rash$1m1d$1@igloo.uran.net.ua> <4.3.0.20010219200743.054eae40@pop.free.fr>

next in thread | previous in thread | raw e-mail | index | archive | help
At 12:46 19/02/01 -0800, Matt Dillon wrote:
>    Yes, but we are talking about simple stupid config files here.  Programs
>     which actually tokenize an input stream typically do not use fgets().
>     Tokenizers either use [f]lex, [f]getc(), read() (and handle the buffering
>     themselves), or mmap().

I used the tokenize() just as an example. I consider that every program 
that reads
a line thinks it is a line and that the next fgets will read the _next_ 
line. but
fgets doesn't guarantee that. so we have the following alternatives:
- assume the file is well formed (no too long lines).
- check that the lines are not too long.

I personally prefer the second alternative. It has a cost, but this is more 
robust.
How many times have we seen things assumed for some time, and then the
code reused by someone else in another purpose but failing to check that
the assumptions are no more true. This has often resulted in security problems.

So I'd go for "trust BUT control". and this is even more important in 
library functions.


cheers,
mouss


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.3.0.20010220150656.060411a0>