Hi all,
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). why...?
regards,
jayapal.
Nov 16 '07
104 5269
On Nov 16, 9:04 am, jayapal <jayapal...@gma il.comwrote:
Hi all,
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). why...?
For the same reason that failure to read the C-FAQ is dangerous.
Because you will look like a nincompoop due to the omission of common
sense.
12.23: Why does everyone say not to use gets()?
A: Unlike fgets(), gets() cannot be told the size of the buffer
it's to read into, so it cannot be prevented from overflowing
that buffer. As a general rule, always use fgets(). See
question 7.1 for a code fragment illustrating the replacement
of
gets() with fgets().
References: Rationale Sec. 4.9.7.2; H&S Sec. 15.7 p. 356.
On Nov 16, 9:04 am, jayapal <jayapal...@gma il.comwrote:
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). why...?
No set of program control can prevent gets() from having undefined
behavior. In fact, basically all C compilers implement gets() to have
undefined behavior. Because of this, the function has been slated to
be deprecated in the next C standard. I have made a safe
implementation of gets() that you can find as the first example here: http://www.pobox.com/~qed/userInput.html
Please feel free to use it in lieu of the upcoming standard which will
make its usage obsolete.
--
Paul Hsieh http://www.pobox.com/~qed/ http://bstring.sf.net/
Paul Hsieh wrote On 11/16/07 14:43,:
On Nov 16, 9:04 am, jayapal <jayapal...@gma il.comwrote:
>>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
No set of program control can prevent gets() from having undefined
behavior. In fact, basically all C compilers implement gets() to have
undefined behavior. Because of this, the function has been slated to
be deprecated in the next C standard. I have made a safe
implementation of gets() that you can find as the first example here:
http://www.pobox.com/~qed/userInput.html
Please feel free to use it in lieu of the upcoming standard which will
make its usage obsolete.
Isn't there a buffer overrun vulnerability in the
fgetstralloc() function? Look carefully at the second
argument of the first call to getInputFrag().
-- Er*********@sun .com
CJ wrote:
On 16 Nov 2007 at 18:41, jacob navia wrote:
jayapal wrote:
Hi all,
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). why...?
regards,
jayapal.
That function is deprecated and will disappear shortly.
Its usage is not recommended because there is no way to
limit the input that it will receive, and it can overflow
the input buffer.
This sort of absolute prohibition on gets() is completely wrong-headed.
It's completely fine to use gets(), as long as you use it properly. To
use it properly, *you* need to be in control of the data that gets()
reads.
Keep in mind, of course, that there's absolutely nothing you can do
within strictly conforming C code that would give you the kind of
control you need to have to use gets() safely. The safety of such
usage depends upon something outside the C standard, and more likely
than not, something outside of the program itself.
It's trivial to replace any call to gets() with a similar call to
fgets() with minor modifications to the surrounding code, and that
change is sufficient to completely avoid the buffer overruns. I don't
know of any legitimate reason for not doing so.
On 16 Nov 2007 at 20:47, ja*********@ver izon.net wrote:
>
CJ wrote:
>On 16 Nov 2007 at 18:41, jacob navia wrote:
jayapal wrote: Hi all,
Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
regards, jayapal.
That function is deprecated and will disappear shortly.
Its usage is not recommended because there is no way to
limit the input that it will receive, and it can overflow
the input buffer.
This sort of absolute prohibition on gets() is completely wrong-headed. It's completely fine to use gets(), as long as you use it properly. To use it properly, *you* need to be in control of the data that gets() reads.
Keep in mind, of course, that there's absolutely nothing you can do
within strictly conforming C code that would give you the kind of
control you need to have to use gets() safely. The safety of such
usage depends upon something outside the C standard, and more likely
than not, something outside of the program itself.
It's trivial to replace any call to gets() with a similar call to
fgets() with minor modifications to the surrounding code, and that
change is sufficient to completely avoid the buffer overruns. I don't
know of any legitimate reason for not doing so.
It's much more typing!
jacob navia <ja***@nospam.c omwrites:
jayapal wrote:
>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
That function is deprecated and will disappear shortly.
It is not listed in the current C standard as deprecated.
--
"A lesson for us all: Even in trivia there are traps."
--Eric Sosman
On Fri, 16 Nov 2007 13:06:52 -0800, Ben Pfaff wrote:
jacob navia <ja***@nospam.c omwrites:
>jayapal wrote:
>>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
That function is deprecated and will disappear shortly.
It is not listed in the current C standard as deprecated.
http://open-std.org/JTC1/SC22/WG14/www/docs/dr_332.htm
The status from the summary page is "closed, published in TC 3", and you
can find the added paragraph in n1256. Admittedly, I'm not sure if TC 3
is official just yet.
However, of course being deprecated does not mean it will actually be
removed any time soon.
On Nov 16, 12:20 pm, Eric Sosman <Eric.Sos...@su n.comwrote:
Paul Hsieh wrote On 11/16/07 14:43,:
On Nov 16, 9:04 am, jayapal <jayapal...@gma il.comwrote:
>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
No set of program control can prevent gets() from having undefined
behavior. In fact, basically all C compilers implement gets() to have
undefined behavior. Because of this, the function has been slated to
be deprecated in the next C standard. I have made a safe
implementation of gets() that you can find as the first example here:
http://www.pobox.com/~qed/userInput.html
Please feel free to use it in lieu of the upcoming standard which will
make its usage obsolete.
Isn't there a buffer overrun vulnerability in the
fgetstralloc() function? Look carefully at the second
argument of the first call to getInputFrag().
Its 64. getInputFrag(*, 64,*,*,*) never writes to more than 64 chars
(the extra '\0' only comes when the input is <= 64 in length; unlike
strncat, this is ok because the length read is always explicitly
returned), and the buffer passed (char blk[64]) in is 64 chars in
length. So ... what am I missing?
--
Paul Hsieh http://www.pobox.com/~qed/ http://bstring.sf.net/
jacob navia wrote:
jayapal wrote:
>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
That function is deprecated and will disappear shortly.
Its usage is not recommended because there is no way to
limit the input that it will receive, and it can overflow
the input buffer.
It's true that gets() has been declared obsolescent and deprecated.
This is reflected in TC3 and in the latest standard draft, n1256.pdf.
This just happened within the last couple of months.
But please don't make the mistake of thinking that it "will disappear
shortly". It has not been removed from the C99 standard. In fact, any
conforming C99 implementation *must* provide gets(), undefined behavior
and all (though any implementation is free to warn about it).
Deprecation means that it will most likely be removed from the *next* C
standard, which is still a number of years away. Consider that the C99
standard is 8 years old, and still has not been fully implemented by the
vast majority of compilers. It will likely be decades, if ever, before
a significant number of implementations conform to a new C20YZ standard.
And even then, compilers will be free to continue to provide it in a
non-conforming mode, perhaps for backward compatibility.
I'm afraid that gets() is going to be around for a very long time. It's
still up to each of us, as programmers, to avoid using it.
jacob, if you really thing gets() will "disappear shortly", I'd be
interested in your reasoning.
--
Keith Thompson (The_Other_Keit h) <ks***@mib.or g>
Looking for software development work in the San Diego area.
"We must do something. This is something. Therefore, we must do this."
-- Antony Jay and Jonathan Lynn, "Yes Minister"
Keith Thompson wrote:
jacob navia wrote:
>jayapal wrote:
>>Whenever I use the gets() function, the gnu c compiler gives a warning that it is dangerous to use gets(). why...?
That function is deprecated and will disappear shortly. Its usage is not recommended because there is no way to limit the input that it will receive, and it can overflow the input buffer.
It's true that gets() has been declared obsolescent and deprecated. This
is reflected in TC3 and in the latest standard draft, n1256.pdf. This
just happened within the last couple of months.
But please don't make the mistake of thinking that it "will disappear
shortly". It has not been removed from the C99 standard. In fact, any
conforming C99 implementation *must* provide gets(), undefined behavior
and all (though any implementation is free to warn about it).
Deprecation means that it will most likely be removed from the *next* C
standard, which is still a number of years away. Consider that the C99
standard is 8 years old, and still has not been fully implemented by the
vast majority of compilers. It will likely be decades, if ever, before
a significant number of implementations conform to a new C20YZ standard.
And even then, compilers will be free to continue to provide it in a
non-conforming mode, perhaps for backward compatibility.
I'm afraid that gets() is going to be around for a very long time. It's
still up to each of us, as programmers, to avoid using it.
jacob, if you really thing gets() will "disappear shortly", I'd be
interested in your reasoning.
Nothing, just hopes that now that is deprecated, people will
stop using it, and it will disappear in a few years.
--
jacob navia
jacob at jacob point remcomp point fr
logiciels/informatique http://www.cs.virginia.edu/~lcc-win32 This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Michael Sig Birkmose |
last post by:
Hi everyone!
Does anyone know, if it is possible to meassure the maximum stack usage of
a C program throughout it's entire execution?
--
Michael Birkmose
|
by: Lee |
last post by:
Hi
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). Is this due to the
possibility of array overflow? Is it correct that the program flow can
be altered by giving some specific calculated inputs to gets()? How
could anyone do so once the executable binary have been generated? I
have heard many of the security problems and other bugs are due to
array overflows.
|
by: Cuthbert |
last post by:
After compiling the source code with gcc v.4.1.1, I got a warning
message:
"/tmp/ccixzSIL.o: In function 'main';ex.c: (.text+0x9a): warning: the
'gets' function is dangerous and should not be used."
Could anybody tell me why gets() function is dangerous??
Thank you very much.
Cuthbert
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |