| From: | Dave Thiede |
| Date: | 9 Sep 2000 at 18:01:09 |
| Subject: | Re: AMIOPEN: [Q] gets and puts |
I also found when I just checked for the same posibility that the
egcs-2.91.66 compiler on my rh-6.2 system spits out a warning when you
use a gets() call. the elate port of (2.8.1 ?) does not. Since so many
of the buffer overrun attacks are made when code uses the gets() call I
would like to see the compiler upgraded so as to reduce the amount of
security vulnerability notices sent out about the Amiga.
BTW, for such a short program the fflush() call shouldn't be necessary.
With a normal exit, all buffers should be flushed and the streams closed.
dave
On Sat, 9 Sep
2000, Marc Culler wrote:
> On Sat, Sep 09, 2000 at 02:55:28PM +0200, John Niclasen wrote:
> > Ok, my little test program now looks like this:
> >
> > #include <stdio.h>
> >
> > int main(int argc, char **argv)
> > {
> > char str[256];
> >
> > gets(str);
> > printf(">%s<\n", str);
> > fflush(stdout);
> >
> > return 0;
> > }
> >
> > The output of printf should be the string in between '>' and '<', but I
> > only see the "><", nomatter what I type.
>
> Looks like a bug to me. I got the same results. Ther is nothing
> special about the < and > characters. However, if I replace
> gets(str);
> with
> fgets(str, 256, stdin);
> it works just fine, except of course that the string has LF at the end.
>
> The fgets call has the advantage that it won't overrun your buffer.
> But lib/gets, dangerous as it may be, does indeed seem to be broken.
>
> - Marc
> Subscribe/Unsubscribe: open-request@amiga.com
> Amiga FAQ: http://www.amiga.com/faq.html
>
Subscribe/Unsubscribe: open-request@amiga.com
Amiga FAQ: http://www.amiga.com/faq.html