From: Smelly Pooh (plop at domain redbrick.dcu.ie)
Date: Fri 04 May 2001 - 10:49:58 IST
In reply to Chris Higgins's flatulent wordings,
> >
> > As a side note, I'd generally stay away from C (and family), one of the very
> > few buffer overflowable languages in common use today
>
> Buffer overflows are introduced by programmers who won't/don't assume the
> worst case senario while developing code - so they don't write code which can
> handle information outside of it's expected norm.
No that's not buffer overflowing, that's in the larger category of improper
input checking, for example using scanf to read an integer string into an
integer variable scanf("%d", &int_var);, there is no buffer overflow, but
there is also no input checking and you can knob up the program by not
entering an integer
> If C (and family) is so bad, what languages (in common use) are buffer
> overflow proof then ? (Assuming standard x86 stack based hardware model,
> rather than lisp machines :)
Name any language that people use these days, PERL, Python, Lisp, ML, php and
so on. See most languages these days are garbage collected (which usually
means data on the heap not the stack, except for basic types like ints and
chars) so if an overflow happens, it is at best a heap overflow (which is much
less common). Also most languages these days (including the above again) have
runtimes that detect when you try to access data pass it's limit (like writing
pass the end of a string for example) and adjust for that.
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:10:11 GMT