DragonFly submit List (threaded) for 2005-02
[
Date Prev][Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
Re: Patch to execve
Joerg Sonnenberger wrote:
On Sun, Feb 27, 2005 at 03:45:39PM -0800, Kevin M. Kilbride wrote:
The documentation for the compiler actually points out the problem with
the write-strings option:
"These warnings will help you find at compile time code that can try to
write into a string constant, but only if you have been very careful
about using const in declarations and prototype. Otherwise, it will just
be a nuisance; this is why we did not make -Wall request these warnings."
It should be removed from WARNS=6.
No. Code has to understand that there is a difference between:
const char *
char *
char []
It is precisely that difference I am talking about, Joerg. This code is
safe:
void function(void) {
char *x = "some string";
potential_string_modifier(x);
}
This code is not safe:
void function(void) {
char x[] = "some string";
potential_string_modifier(x);
}
In the first case, if the potential modifier attempts to write to the
string, the program will die. As I pointed out previously, dead programs
are always safe. In the second case, if the potential modifier attempts
to write to the string, it will succeed---even if it overwrites the
stack. It is exercises similar to this that permit stack overflow
exploits. Moreover, passing truly-writable copies prevents you from
later finding any calls that should not be modifying strings, but which
actually do.
Keep in mind what ( char x[] = "some string"; ) is actually doing. It
declares an automatically-sized array on the stack and then initializes
it with a string literal. For whatever reason, the userland code I've
looked at so far often declares string constants as automatic
variables---but at least it does it with pointers to literals. Doing
this as a pointer to a string literal can never open the door to safety
issues. Doing it as an automatic initialization of an array on the
stack, on the other hand, *may* open the door to potential safety
issues. Kernel functions should never be a problem, since they are
absolutely privileged and completely trusted; but if you start
encouraging WARNS=6 compliance in general, then people will, ironically,
be given a false sense of security by making their code warnings-free.
Aside from which, even within their own applications, they will have a
more difficult time finding bugs related to unintentional writing to
should-be-constant strings. That is why -Wwrite-strings should be
removed from WARNS=6.
[
Date Prev][Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]