'evening.
I'm not new to C and have been programming in it since I was 8 but
here's a strange problem I've never seen before.
When I compile a program from our C course with a windows compiler
there is no problem but when I try to compile it with a linux compiler
it complains that
a_03.c:(.text+0 x4d): warning: the `gets' function is dangerous
and should not be used.
Is linux more dangerous than windows? Where can I download a
non dangerous gets function? I have never used gets before is
there undefined behavior somewhere?
Here is a trimmed down example program from my assignment that
demonstrates the problem
#include <stdio.h>
#include <malloc.h>
void main()
{
char *string;
printf("enter string (max 2000 chars): ");
fflush(stdin);
fflush(stdout);
string = (char *)malloc(2001);
if(!string) exit(1);
gets(string);
printf("you entered: %s\n", string);
free(string);
exit(0);
}
On windows with TurboC and Lcc no error is printed. On linux with
gcc it says gets is dangerous.
Please advise my instructor says gcc is overly pedantic.
Aug 10 '08
233 8815
On 10 Aug 2008 at 13:17, santosh wrote:
Richard wrote:
>Total and utter nonsense. C is used all over the place for creating elements which are under strict control and the program/process/function has a totally controlled and defined input stream. In those scenarios gets is used flawlessly in millions of programs around the world.
I wonder, can you give examples of sources of perfectly controlled and
defined input? Certainly disk files can be tampered, as can pipes,
sockets and almost every other device.
True. The world might also be destroyed in a nuclear holocaust while
your throwaway program is reading its non-life-critical data, so why
take the risk of programming at all? Drink a beer, get laid, and wait
for the mushroom cloud to take you.
santosh <sa*********@gm ail.comwrites:
Richard wrote:
>Richard Heathfield <rj*@see.sig.in validwrites:
>>Julian said:
'evening.
I'm not new to C and have been programming in it since I was 8 but here's a strange problem I've never seen before.
When I compile a program from our C course with a windows compiler there is no problem but when I try to compile it with a linux compiler it complains that
a_03.c:(.tex t+0x4d): warning: the `gets' function is dangerous and should not be used.
Is linux more dangerous than windows?
No. Your Linux compiler warned you about a dangerous function that should never be used.
Total and utter nonsense. C is used all over the place for creating elements which are under strict control and the program/process/function has a totally controlled and defined input stream. In those scenarios gets is used flawlessly in millions of programs around the world.
if you can NOT define the input then I would agree. But in the real world the input is indeed guarenteed in a properly functioning system. if the system isn't well defined then all "bets are off" since you can pretty much be sure that undefined behaviour/input has already compromised the process pipeline.
I wonder, can you give examples of sources of perfectly controlled and
defined input? Certainly disk files can be tampered, as can pipes,
sockets and almost every other device. Why risk it with gets when fgets
is just as easy and safer?
If I have a well defined pipeline then any deviance make the entire line
corrupt.
If I have a process whose DEFINED input is say, 16 characters at a time
on its standard input then its not its job to ensure thats what
comes. Dont believe me? Try calling strcpy with NULL pointer as the
destination.
Since it has NO way of reporting back errors to the program feeding it,
what should me module do? Carry on processing this rogue data?
The point is this - one can worry all day long. Once can also be
practical and "real".
Its like the malloc business. If malloc fails for a few bytes the chance
of that program not exhibiting "Undefined Bahvaiour" because you checked
the return code is practically nil.
On Aug 10, 12:42*pm, Richard<rgr...@ gmail.comwrote:
Richard Heathfield <r...@see.sig.i nvalidwrites:
Julian said:
I'm not new to C and have been programming in it since I was 8 but
here's a strange problem I've never seen before.
When I compile a program from our C course with a windows compiler
there is no problem but when I try to compile it with a linux compiler
it complains that
a_03.c:(.text+0 x4d): warning: the `gets' function is dangerous
and should not be used.
Is linux more dangerous than windows?
No. Your Linux compiler warned you about a dangerous function that should
never be used.
Total and utter nonsense. C is used all over the place for creating
elements which are under strict control and the program/process/function
has a totally controlled and defined input stream. In those scenarios
gets is used flawlessly in millions of programs around the world.
if you can NOT define the input then I would agree. But in the real
world the input is indeed guarenteed in a properly functioning
system.
hardly. Much web based software does not have total control
of its inputs. Compilers don't have TCOI. Even if the other end of
your
"link" is "trusted" there can be errors made. Yes, you test your
software but
why not on the length of input
if the system isn't well defined then all "bets are off" since
you can pretty much be sure that undefined behaviour/input has already
compromised the process pipeline
how many bugs has gets() caused? Windows certainly. Wasn't the Unix
worm gets() based?
--
Nick Keighley
"Antoninus Twink" <no****@nospam. invalidschreef in bericht
news:sl******** ***********@nos pam.invalid...
True. The world might also be destroyed in a nuclear holocaust while
your throwaway program is reading its non-life-critical data, so why
take the risk of programming at all? Drink a beer, get laid, and wait
for the mushroom cloud to take you.
I agree except on one thing. I'd drink the beer last
>
Nick Keighley <ni************ ******@hotmail. comwrites:
On Aug 10, 12:42Â*pm, Richard<rgr...@ gmail.comwrote:
>Richard Heathfield <r...@see.sig.i nvalidwrites:
Julian said:
>I'm not new to C and have been programming in it since I was 8 but here's a strange problem I've never seen before.
>When I compile a program from our C course with a windows compiler there is no problem but when I try to compile it with a linux compiler it complains that
>a_03.c:(.text+ 0x4d): warning: the `gets' function is dangerous and should not be used.
>Is linux more dangerous than windows?
No. Your Linux compiler warned you about a dangerous function that should
never be used.
Total and utter nonsense. C is used all over the place for creating elements which are under strict control and the program/process/function has a totally controlled and defined input stream. In those scenarios gets is used flawlessly in millions of programs around the world.
if you can NOT define the input then I would agree. But in the real world the input is indeed guarenteed in a properly functioning system.
hardly. Much web based software does not have total control
of its inputs. Compilers don't have TCOI. Even if the other end of
The dont use gets in this case.
You seem to think I am advocating it when the input is not DEFINED. I am
not.
"Serve Lau" <ni***@qinqin.c omwrites:
"Antoninus Twink" <no****@nospam. invalidschreef in bericht
news:sl******** ***********@nos pam.invalid...
>True. The world might also be destroyed in a nuclear holocaust while your throwaway program is reading its non-life-critical data, so why take the risk of programming at all? Drink a beer, get laid, and wait for the mushroom cloud to take you.
I agree except on one thing. I'd drink the beer last
You would? I would drink it second.
"Ben Bacarisse" <be********@bsb .me.ukwrote in message news:
"Malcolm McLean" <re*******@btin ternet.comwrite s:
>"Gordon Burditt" <go***********@ burditt.orgwrot e in message
>>There is no non-dangerous gets() function with the same interface. The non-dangerous function is called fgets().
This is a hardy annual. Of course fgets() can be used safely, but won't be. For instance Richard Heathfield posted a dangerous use of fgets() in this very thread. It will give the wrong answer if the user enters a string of over 2000 characters.
You have allowed yourself to slip into polemic. It is not clear, at
least to me, what the right answer is so you are stretching the point
-- be careful with fgets and long lines -- by saying that the answer
is "wrong" and the use "dangerous" .
if I enter
"My name is Rumplewumple ... stiltskin"
and the program comes back
"You entered My name is Rumplewumple ... stilt"
Then I might well object that that's my cousin. Which is potentially
dangerous, depending on what the program is being used for.
--
Free games and programming goodies. http://www.personal.leeds.ac.uk/~bgy1mm
On Sun, 10 Aug 2008 09:27:13 +0100, "Malcolm McLean"
<re*******@btin ternet.comwrote :
> "Gordon Burditt" <go***********@ burditt.orgwrot e in message
>There is no non-dangerous gets() function with the same interface. The non-dangerous function is called fgets().
This is a hardy annual. Of course fgets() can be used safely, but won't be. For instance Richard Heathfield posted a dangerous use of fgets() in this very thread. It will give the wrong answer if the user enters a string of over 2000 characters.
Any code that does not check the status of "service requests" is
dangerous. But this is a result of sloppy programming. It is not an
inherent property of the request itself as a call to gets() is.
>Of course it is not dangerous in a little exercise program that doesn't do anything, but then neither is gets().
I guess on your system undefined behavior can never do any harm.
> To use fgets() safely you must check for the newline. If it is not present a buffer overflow occurred. So you must then take action against the buffer to
Actually, a buffer overflow was prevented.
>ensure that the next read doesn't get the remainder of the previous line.
The recommended action should be either:
Whatever the program needs to do to obtain the remainder of
the line so the input can be processed as intended .
Reject the input with appropriate notification to the user and
suitable follow-on action
--
Remove del for email
Antoninus Twink wrote:
On Sun, 10 Aug 2008 13:27:34 +0530, santosh wrote:
>CBFalconer wrote:
>>Correction: That omits many useful tests. I suggest: gcc -W -Wall -ansi -pedantic for better error detection.
I would also recommend: [...] -Wpointer-arith
This is redundant, since it's already enabled by -pedantic.
This is not mentioned in my gcc documentation. Looking it up on the
Web... yes I see you're right. Must have been added recently.
Antoninus Twink wrote:
On 10 Aug 2008 at 13:17, santosh wrote:
>Richard wrote:
>>Total and utter nonsense. C is used all over the place for creating elements which are under strict control and the program/process/function has a totally controlled and defined input stream. In those scenarios gets is used flawlessly in millions of programs around the world.
I wonder, can you give examples of sources of perfectly controlled and defined input? Certainly disk files can be tampered, as can pipes, sockets and almost every other device.
True. The world might also be destroyed in a nuclear holocaust while
your throwaway program is reading its non-life-critical data, so why
take the risk of programming at all? Drink a beer, get laid, and wait
for the mushroom cloud to take you.
I'd use fgets even for a "throwaway" program because it's really as easy
to use and I won't have to worry about carefully deleting the sources
later. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Bill Cunningham |
last post by:
I read an article in a book about Perl and Common Gateway Interface and it
mentioned C. It said that C could damage your computer. I don't know wether
it meant the standard or compiler issuses. I was a little upset. Well more
upset. I sent Dennis Ritchie and email. I don't know if he'll respond if he
gets it. Sometimes he does sometimes not. How can C damage your computer?
Bill
|
by: b83503104 |
last post by:
When are they not consistent?
|
by: cesark |
last post by:
Hi !
I have important doubts about how to handle the security in asp.net
vb.net web forms. Somebody can help me?
1. If you have setting ‘validateRequest=true’ in .net framework1.1,
What can do you do to improve the security? Because although you have
validations on server side you can enter dangerous characters in a
text field, with the exception of telephone numbers or similar.
|
by: Lee |
last post by:
Hi
Whenever I use the gets() function, the gnu c compiler gives a
warning that it is dangerous to use gets(). Is this due to the
possibility of array overflow? Is it correct that the program flow can
be altered by giving some specific calculated inputs to gets()? How
could anyone do so once the executable binary have been generated? I
have heard many of the security problems and other bugs are due to
array overflows.
|
by: Brendan |
last post by:
Hi,
I'm trying to mimic the IPC/messaging system of an specific OS in a
portable way by using GCC's library. The IPC system uses buffered
asynchronous messages, where any thread can send a message to any other
thread (i.e. to the "threadID") without blocking, and the receiver does
any security checks necessary.
I'm trying to implement the portable/linux version on top of
sockets/datagrams ("SOCK_DGRAM" in the local namespace), and so...
| |
by: lovecreatesbea... |
last post by:
C stops the conversion from (char **) to (const char **). c-faq.com
sec 11.10 has explanation on this point. But, for example, even the
conversion from (char *) to (const char *) brings the same dangerous
as in the previous conversion. Why the latter simple but dangerous one
is allowed in C?
$ cat f1.c
int main(void)
{
const char c = 'a';
|
by: Thomas.li |
last post by:
Hi,
I want to convert CString to LPBYTE like
LPBYTE lpByte = (BYTE*)(LPCTSTR)cstring;
is it very dangerous to do that?
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
| |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |