On Sat, 27 Jan 2024 15:44:22 +0100, David Brown wrote:

Whether a program with strcat, or a program with strncat, is correct or
not depends on the specifications for the program.

Can a program that uses strcat be “correct”? In theory, yes. In practice, code that uses such misbegotten functions has a high probability of having associated security vulnerabilities like buffer overflows in it. That’s
why we avoid same.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 27/01/2024 20:48, Lawrence D'Oliveiro wrote:

On Sat, 27 Jan 2024 15:44:22 +0100, David Brown wrote:

Whether a program with strcat, or a program with strncat, is correct or
not depends on the specifications for the program.

Can a program that uses strcat be “correct”? In theory, yes. In practice, code that uses such misbegotten functions has a high probability of having associated security vulnerabilities like buffer overflows in it. That’s
why we avoid same.

So how would you write such a function in a safe manner?

At some point you will need to trust the parameters that the caller
provides. Then that is no different to an implementation of strcat.

BTW you seem to like Python. Cpython uses strcpy() quite a bit, and also strcat(). Does that make CPython unsafe?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <up3q66$3hbk7$5@dont-email.me>,
Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Sat, 27 Jan 2024 15:44:22 +0100, David Brown wrote:

Whether a program with strcat, or a program with strncat, is correct or
not depends on the specifications for the program.

Can a program that uses strcat be correct? In theory, yes. In practice,
code that uses such misbegotten functions has a high probability of having >associated security vulnerabilities like buffer overflows in it. Thats
why we avoid same.

I'm very happy for you.

--
"Only a genius could lose a billion dollars running a casino."
"You know what they say: the house always loses."
"When life gives you lemons, don't pay taxes."
"Grab 'em by the p***y!"

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 27 Jan 2024 21:15:54 +0000, bart wrote:

On 27/01/2024 20:48, Lawrence D'Oliveiro wrote:

Can a program that uses strcat be “correct”? In theory, yes. In practice,
code that uses such misbegotten functions has a high probability of having >> associated security vulnerabilities like buffer overflows in it. That’s
why we avoid same.

So how would you write such a function in a safe manner?

Don’t. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 27/01/2024 23:41, Lawrence D'Oliveiro wrote:

On Sat, 27 Jan 2024 21:15:54 +0000, bart wrote:

On 27/01/2024 20:48, Lawrence D'Oliveiro wrote:

Can a program that uses strcat be “correct”? In theory, yes. In practice,
code that uses such misbegotten functions has a high probability of having >>> associated security vulnerabilities like buffer overflows in it. That’s >>> why we avoid same.

So how would you write such a function in a safe manner?

Don’t. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

Which one from that page? It shows strcat and strlcat.

The latter contains a size. But you have to trust the size is correct.

This is little different from trusting the caller to not provide a
source string that is longer than the remaining capacity of the destination.

At some point, you have to trust something.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 27 Jan 2024 23:49:42 +0000, bart wrote:

The latter contains a size. But you have to trust the size is correct.

The point being, you can specify one.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 27 Jan 2024 17:05:27 -0800, Keith Thompson wrote:

Yes, you can introduce a buffer overflow if you
modify the code carelessly. So don't do that.

Adding an explicit buffer size provides an additional check. It helps
reduce the incidence of such “carelessness”. Not completely, but it helps.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, 27 Jan 2024 18:00:08 -0800, Keith Thompson wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

On Sat, 27 Jan 2024 17:05:27 -0800, Keith Thompson wrote:

Yes, you can introduce a buffer overflow if you modify the code
carelessly. So don't do that.

Adding an explicit buffer size provides an additional check. It helps
reduce the incidence of such “carelessness”. Not completely, but it
helps.

Sure. It also requires extra work ...

Macros can help with that.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 27/01/2024 21:48, Lawrence D'Oliveiro wrote:

On Sat, 27 Jan 2024 15:44:22 +0100, David Brown wrote:

Whether a program with strcat, or a program with strncat, is correct or
not depends on the specifications for the program.

Can a program that uses strcat be “correct”? In theory, yes. In practice, code that uses such misbegotten functions has a high probability of having associated security vulnerabilities like buffer overflows in it. That’s
why we avoid same.

In theory, yes. In practice, yes.

The principle is the same for every program. If you have unknown input
from the outside, sanitize it so that you know enough about it to be
able to use it the way you want. If you know it is safe to use it in a particular way, you can use it that way without introducing bugs.

Any program, function, or set of functions needs a specification (even
if it is informal). This gives the restrictions on the inputs for
anything using the code, and says what the output will be as long as
these restrictions are fulfilled. (It might also specify some error
detection for "bad" inputs, but that's really just an extension to the specification of inputs and outputs.)

Sometimes a function will be specified for all possible values of its
input types. Sometimes it won't. (And sometimes details are hidden by
the language and implementation - the object code for a function
typically gets its inputs in registers or stack entries, and they may be
able to hold bit patterns that don't match any value of the logical type.)

The implementation of a function can, and should, assume that the input
values are within specification. Any incorrect input falls under
"garbage in, garbage out" - a principle that has been established in the computing world since the first mechanical computers, and which extends throughout countless aspects of life.

If the function uses strcat in a way that is safe and correct for inputs
as specified for the function, then it is safe and correct to use strcat.

If you have an alternative way to implement the function, that could be
just as good. You might have a way to do it more efficiently. But that
does not mean strcat is bad.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 28/01/2024 20:25, Chris M. Thomasson wrote:

On 1/28/2024 8:43 AM, Malcolm McLean wrote:

On 27/01/2024 20:48, Lawrence D'Oliveiro wrote:

On Sat, 27 Jan 2024 15:44:22 +0100, David Brown wrote:

Whether a program with strcat, or a program with strncat, is correct or >>>> not depends on the specifications for the program.

Can a program that uses strcat be “correct”? In theory, yes. In
practice,
code that uses such misbegotten functions has a high probability of
having
associated security vulnerabilities like buffer overflows in it. That’s >>> why we avoid same.
;

For me security vulnerablities of that type aren't a big issue. Whilst
someone could potentially exploit that vulnerability to run
unspecified code, he'd find it very difficult to deploy the exploit to
a paying customer. We've never had a case of that sort of thing.

But in some environments, yes this is a serious concern. You rely
onthe strings being checked for length eslewhere, and it's not at all
unlikely that those checks could be evaded somehow.

strcat can be used correctly. A person that juggles chainsaws, yet has
no arms and legs, well, shit happens... ;^)

The trick is to use juggling chainsaws, not regular ones (there are big differences), and to know what you are doing with them. Accidents are
very rare. Juggling accidents come from people trying dangerous things
without proper training, or without appropriate safety precautions, or
because they think it will make them look smart.

So it is not /that/ different from programming!

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 29 Jan 2024 12:08:09 -0800, Tim Rentsch wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

As with anything open-source, feel free to show us how you would do
better.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-29, Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Mon, 29 Jan 2024 12:08:09 -0800, Tim Rentsch wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

As with anything open-source, feel free to show us how you would do
better.

The functions *are already documented* in glibc's manual.

https://sourceware.org/glibc/manual/html_mono/libc.html

where they are covered with much less pontification, belaboring and
rambling.

"The simplest character sequence copying function is mempcpy(3)"

What? According to what simplicity measure? This opinion bit,
like many others, adds no value.

--
TXR Programming Language: http://nongnu.org/txr
Cygnal: Cygwin Native Application Library: http://kylheku.com/cygnal
Mastodon: @Kazinator@mstdn.ca

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In article <up9d6f$lmi3$2@dont-email.me>,
Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Mon, 29 Jan 2024 12:08:09 -0800, Tim Rentsch wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

As with anything open-source, feel free to show us how you would do
better.

This is such a crap argument.

Everything says shi - I mean, stuff like this, but it just such a
ridiculous argument.

--
In American politics, there are two things you just don't f*ck with:

1) Goldman Sachs
2) The military/industrial complex

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-01-30, Kenny McCormack <gazelle@shell.xmission.com> wrote:

In article <up9d6f$lmi3$2@dont-email.me>,
Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Mon, 29 Jan 2024 12:08:09 -0800, Tim Rentsch wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

As with anything open-source, feel free to show us how you would do
better.

This is such a crap argument.

Everything says shi - I mean, stuff like this, but it just such a
ridiculous argument.

Especially given that the Linux Man Pages Project could do better just
by abstaining from writing write poor documentation for which there
exist better sources.

--
TXR Programming Language: http://nongnu.org/txr
Cygnal: Cygwin Native Application Library: http://kylheku.com/cygnal
Mastodon: @Kazinator@mstdn.ca

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 30 Jan 2024 01:21:47 -0000 (UTC), Kenny McCormack wrote:

In article <up9d6f$lmi3$2@dont-email.me>,

Lawrence D'Oliveiro <ldo@nz.invalid> wrote:

On Mon, 29 Jan 2024 12:08:09 -0800, Tim Rentsch wrote:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

[..how would one write a safe set of string functions?..]

Don't. Use an alternative function instead.

<https://manpages.debian.org/7/string_copying.en.html>

As documentation that page is truly horrendous.

As with anything open-source, feel free to show us how you would do
better.

This is such a crap argument.

As the saying does: “put up or shut up”.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Keith Thompson ha scritto:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

On Sat, 27 Jan 2024 17:05:27 -0800, Keith Thompson wrote:

Yes, you can introduce a buffer overflow if you
modify the code carelessly. So don't do that.

Adding an explicit buffer size provides an additional check. It helps
reduce the incidence of such “carelessness”. Not completely, but it helps.

Sure. It also requires extra work, and introduce more opportunities for errors if you specify the size incorrectly.

There are languages that handle this kind of thing differently, where
the size is inherently associated with each array or string object or
value, and therefore the programmer doesn't have to specify it at all.
C is not one of those languages.

You seemed to be implying that strcpy() and strcat() cannot ever be used safely, and should not ever be used at all. It was that extreme
statement that I was trying to refute. Of course using strcpy() or
strcat() with user-provided input without checking:

char buf[80]
strcpy(buf, argv[1]);
strcat(buf, argv[2]);

If someone writes a piece of code like this, then he is a programmer who
tries to use the C language and not a "C programmer". Code like that you
write it only when you do small tests for yourself.

is dangerous. Just as 1+1 is perfectly safe, but n+1 is potentially dangerous if n might be equal to INT_MAX.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 30/01/2024 10:18, jak wrote:

Keith Thompson ha scritto:

Lawrence D'Oliveiro <ldo@nz.invalid> writes:

On Sat, 27 Jan 2024 17:05:27 -0800, Keith Thompson wrote:

Yes, you can introduce a buffer overflow if you
modify the code carelessly.  So don't do that.

Adding an explicit buffer size provides an additional check. It helps
reduce the incidence of such “carelessness”. Not completely, but it
helps.

Sure.  It also requires extra work, and introduce more opportunities for
errors if you specify the size incorrectly.

There are languages that handle this kind of thing differently, where
the size is inherently associated with each array or string object or
value, and therefore the programmer doesn't have to specify it at all.
C is not one of those languages.

You seemed to be implying that strcpy() and strcat() cannot ever be used
safely, and should not ever be used at all.  It was that extreme
statement that I was trying to refute.  Of course using strcpy() or
strcat() with user-provided input without checking:

     char buf[80]
     strcpy(buf, argv[1]);
     strcat(buf, argv[2]);

If someone writes a piece of code like this, then he is a programmer who tries to use the C language and not a "C programmer". Code like that you write it only when you do small tests for yourself.

It is fine as long as it is used according to specifications - just like
any other program.

You would not want to write code like this and release it to "the great unwashed", who would not bother reading the specifications, and would
not follow them even if they read them. You would not release it
somewhere where using it outside the specifications could be a problem
for the security, or stability of a system, or otherwise cause trouble.

But there are a very large number of programs, not just trivial or
private test programs, which are written to be used only in particular circumstances or in particular ways. They may only be run from other
front-end or driver programs - ones that run them appropriately. They
may be run only be qualified and trained people. And the programmer
could be perfectly justified in thinking that any sensible user will use
the program as intended, without problem. Ignorant users won't get
anywhere with it even if they find it, and malicious users can't do
worse than they could do with "sudo rm -rf /", which is easier to abuse.

As Keith said, code like that is dangerous - that does not mean it is wrong.

is dangerous.  Just as 1+1 is perfectly safe, but n+1 is potentially
dangerous if n might be equal to INT_MAX.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)