Re: More thinking securely...

[Dave Leimbach <leimySPAM2k@xxxxxxx>]

<jarkko.hietaniemi@xxxxxxxxx> writes:

> >     'safe' situations where old functions are used (like
> >     sprintf(buf, "%d", v)), simply because then the audited 
> 
> Safe?
> 
> 	char buf[8];
> 	sprintf(buf, "%d", v);

You need to know how many decimal digits are in an "int" to feel good
about that code.  Then you have to leave room for the '\0';

C++ stringstream anyone? :)  [Oooh... I said a cuss word in a Unix/BSD 
commmunity - "C++".]

Type safety has some advantages.... and I don't care how the hell clever you
are with stdint.h from C99.  You still have to know what the printf format
strings are going to do.

"%hhd" = char sized decimal
"%hd"  = short sized decimal
"%d"   = int sized decimal
"%ld"  = long sized decimal
"%lld" = long long sized decimal.

There is no format string I am aware of that can do %64d for a 64bit
integer.  Of course that doesn't mean they don't exist... I am just not
aware of them :)

C has these problems designed in for you to deal with :).  C++ tries to
eliminate some of them through "streams" but no one wants to play the ABI
game or include a lot of C++ code in a Unix kernel... its not traditional
and probably carries some pretty serious overhead with it that people
don't want to deal with.

I don't think systems will be able to become very trustably secure until
C is dealt with though... somehow.

Perhaps kernels should be written in Cyclone instead:
http://www.research.att.com/projects/cyclon/e

Dave

> 
> >