Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!lucy.swin.edu.au!news.rmit.EDU.AU!goanna.cs.rmit.edu.au!not-for-mail From: maurice@goanna.cs.rmit.edu.au (Maurice Castro) Newsgroups: comp.lang.c,comp.unix.bsd.freebsd.misc Subject: Re: What does gets() unsafe question mean? Followup-To: comp.lang.c,comp.unix.bsd.freebsd.misc Date: 7 Mar 1997 18:12:09 +1100 Organization: Comp Sci, RMIT University, Melbourne, Australia. Lines: 26 Message-ID: <5fof49$r0a$1@goanna.cs.rmit.edu.au> References: <01bc2a8f$67037120$db083ccc@default> NNTP-Posting-Host: localhost.cs.rmit.edu.au NNTP-Posting-User: maurice X-Newsreader: TIN [UNIX 1.3 950824BETA PL0] Xref: euryale.cc.adfa.oz.au comp.lang.c:195515 comp.unix.bsd.freebsd.misc:36690 Jeffrey M. Metcalf (metcalf@snet.net) wrote: : Hello, : : I recently wrote a little C program which uses the stdio.h function gets(). : I compiled and ran it under FreeBSD and I get.. : : warning: this program uses gets(), which is unsafe. : : Jeffrey M. Metcalf : metcalf@snet.net : : http://ruddles.stat.uconn.edu/~jeff : This message is generated to let users know a program uses the gets library function. This function is regarded as unsafe as it places no limit on the size of the buffer into which data is read. For any setuid or setgid program this allows the buffer to be overwritten and new code or data to be inserted into the running progam. Allowing any user of the program to subvert the program and acquire the priveleges given to that program. Furthermore, it is not possible to write a truly reliable program which allows its buffers to be overflowed, as this allows the behaviour of the program to be changed by the input without referemce to the code. Maurice Castro