Warnings / Compiler switch for secure programming
Gregor Richards
Richards at codu.org
Fri Mar 23 15:17:10 PDT 2007
Matthias Walter wrote:
> I've read somewhere, that one can also use alloca() in D, which can be insecure, as it can lead to an exploitable stack overflow, if the amount of data to allocate can be controlled by the user. at least in most implementations. (i've seen a talk, where it was said, GCC's implementation is exploitable, too!)
>
> Another thing is writefln() stuff, as it is also error-prone, if the format-stri
> ng is not fixed. (it is in most cases, but if not, that's dangerous)
>
> Maybe one could add compiler-flags, which activate warnings about possible insec
> ure programming in these cases.
>
> Just an idea :)
>
> Matthias
1) alloca is as insecure as the programmer is incompetent. If you choose
to copy input into it willy-nilly with no regard for the buffer size,
that's your problem.
Your comment that GCC's implementation of alloca is also insecure is
irrelevent: alloca by its very definition is vulnerable to stack
overflow attacks, there's no such thing as a "secure" implementation.
2) writefln uses D-style varargs, D-style varargs are fairly difficult
to use in an insecure way.
- Gregor Richards
More information about the Digitalmars-d
mailing list