More thinking securely...
Dave Leimbach
leimySPAM2k at mac.com
Wed Dec 10 06:44:57 PST 2003
<jarkko.hietaniemi at xxxxxxxxx> writes:
> > 'safe' situations where old functions are used (like
> > sprintf(buf, "%d", v)), simply because then the audited
>
> Safe?
>
> char buf[8];
> sprintf(buf, "%d", v);
You need to know how many decimal digits are in an "int" to feel good
about that code. Then you have to leave room for the '\0';
C++ stringstream anyone? :) [Oooh... I said a cuss word in a Unix/BSD
commmunity - "C++".]
Type safety has some advantages.... and I don't care how the hell clever you
are with stdint.h from C99. You still have to know what the printf format
strings are going to do.
"%hhd" = char sized decimal
"%hd" = short sized decimal
"%d" = int sized decimal
"%ld" = long sized decimal
"%lld" = long long sized decimal.
There is no format string I am aware of that can do %64d for a 64bit
integer. Of course that doesn't mean they don't exist... I am just not
aware of them :)
C has these problems designed in for you to deal with :). C++ tries to
eliminate some of them through "streams" but no one wants to play the ABI
game or include a lot of C++ code in a Unix kernel... its not traditional
and probably carries some pretty serious overhead with it that people
don't want to deal with.
I don't think systems will be able to become very trustably secure until
C is dealt with though... somehow.
Perhaps kernels should be written in Cyclone instead:
http://www.research.att.com/projects/cyclon/e
Dave
>
> >
More information about the Kernel
mailing list