Article:		Networking and the BSD Sockets API
Subject:		security error in client code
Date:		2003-01-13 11:42:51
From:		anonymous2
In the client code, you wrote: printf( buffer ); this is vulnerable to the common "format-string security error" which is the second most common security error in C network software. The corrected line should read: printf( "%s", buffer ); In addition, you invite a future security error by using hardcoded constants here: char buffer[201]; ... while (n = read(sockfd, buffer, 200)) { instead of: #define BUFSIZE 200 ... char buffer[BUFSIZE + 1]; ... while (n = read(sockfd, buffer, BUFSIZE)) { Please take care not to promulgate insecure C programming practices in the future.

Showing messages 1 through 1 of 1.

• Give the author a break...
  2003-01-20 11:28:41  stevesheets [View]
  
  
  >>you invite a future security error by using hardcoded constants here
  
  >>Please take care not to promulgate insecure C programming practices in the future.
  
  Give the author a break...
  
  When someone is writing a programming example/snippet, not released product, you use an entirely different method/standard to judge it. The purpose is to show the theory behind the code. You must do this, usually with the editor yelling to keep the article short and to the point. And most users skip over long source code examples, so you must keep the lines of code you create small and exact.
  
  Yes, we all know it is best to not hardcode sizes and constants. But it also perfectly correct when writing a coding article or code snippet to keep the code simple, without over use of macros and such.
  
  Thanks for the article!
  
  Steve Sheets