"Stephen D. Williams" <sdw@lig.net> writes:
> "Adam L. Beberg" wrote:
> > On Wed, 11 Apr 2001, Joseph S Barrera III wrote:
> > > IF it's impossible to write C code without buffer overruns
>
> It's not impossible, just a pain and you have to avoid certain functions
> in certain contexts.
Juggling eleven beanbags isn't impossible either; you just have to put
your hands in the right places at the right times and toss the
beanbags with roughly the right velocity. In fact, there was once a
juggler who could actually do this.
> There is a version of gcc that catches buffer overruns as soon as they
> happen, for more secure daemons.
There are several. StackGuard is the most practical; it catches the
particular kind of buffer overrun that is easiest to exploit --- the
stack buffer overrun that overwrites the return address. Electric
Fence catches another set at a substantial performance and memory
cost. Greg McGary's bounds-checking version of gcc should
theoretically catch all buffer overflows, but its output is still too
slow for production use.
This archive was generated by hypermail 2b29 : Sun Apr 29 2001 - 20:26:02 PDT