[15925] in bugtraq
Re: StackGuard with ... Re: [Paper] Format bugs.
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Hannah_Schr=F6ter?=)
Mon Jul 24 13:13:57 2000
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <20000724122004.A27958@schlund.de>
Date: Mon, 24 Jul 2000 12:20:04 +0200
Reply-To: =?iso-8859-1?Q?Hannah_Schr=F6ter?= <hannah@SCHLUND.DE>
From: =?iso-8859-1?Q?Hannah_Schr=F6ter?= <hannah@SCHLUND.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <4.3.2.7.2.20000721224040.04b04b90@localhost>; from Brett Glass
on Fri, Jul 21, 2000 at 10:48:57PM -0600
Hello!
On 07/21, Brett Glass wrote:
> 2) The C language itself has no way of specifying a MINIMUM number of
> arguments for a function call. Had the compiler noted that setproctitle()
> and similar functions need at least two arguments, the mistakes would
> have been caught from the get-go.
However, setproctitle("foo") is correct and safe!
> [...]
> The former requires changing the conventions used by the standard C
> libraries, which is probably infeasible.
Not only that, but reasonable alternatives are cumbersome in C.
Compare the C *printf* and similar functions with what is possible in
Standard ML (strongly typed formats, where the compiler can check
that the arguments are applied according to the format in *every* case)
or experimental type systems like Cayenne's (you can derive the parameter
types from a C style format *string*, and the call is accepted only if
the compiler can prove at compile time that the arguments always match
the format string, see http://www.cs.chalmers.se/~augustss/cayenne/
for details; note that in practise undecidable type systems aren't that
much a problem. The type system of C++ is undecidable, too). In other
languages, there can at least be safe runtime checking, such as
Lisp's format function.
> [...]
Regards, Hannah.
--
Hannah Schrvter Technik hannah@schlund.de
Bei Schlund + Partner AG Erbprinzenstr. 4-12 D-76133 Karlsruhe
Besuchen Sie unseren Automarkt http://www.webauto.de/
