GSoC 2008 dma enhancements

Joerg Sonnenberger joerg at britannica.bec.de
Wed Jun 11 15:02:48 PDT 2008


On Wed, Jun 11, 2008 at 05:36:25PM -0400, strangepics wrote:
> Also, for this, or any other service where security counts I would highly 
> recommend using a safe, easy to use string library such as the one included 
> in  libowfat: http://www.fefe.de/libowfat/

Now the next fanboy. *sigh*

> The standard C string functions, as the history continues to prove us (and 
> we continue to ignore it), SUCK for writing secure software. You don't want 
> to end up with either buffer overflows or string escape vulnerabilities, 
> etc.

. ..and people forget that a lot of thought has been put into this. But
some of the very basic ideas (strlcpy and strlcat) are still ignored by
the glibc folks. asprintf is another example that simplifies correct
string processing a lot. All those examples follow the spirit of the C
standards and don't aim at replacing them. I'm not even sure what you
mean with string escape vulnerabilities, but if you mean the super
class of SQL injection and similiar issues, there is no 100% solution.
It doesn't even have a good automatic solution.

Joerg





More information about the Kernel mailing list