Friday, March 16, 2012

Problems with gets()

fgets() and gets_s(): "If there was ever a hard and fast rule in secure programming in C and C++ it is this: Never use gets(). The gets() function reads a line from standard input into a buffer until a terminating newline or EOF is found. No check for buffer overrun is performed. The following quote is from the man page for the function:

Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security.

There are two alternative functions that can be used: fgets() and gets_s(). Figure 1 shows how all three functions are used...."

https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/coding/300-BSI.html

'via Blog this'

No comments:

Post a Comment