Re: amiga-fdisk 0.4 and debian/potato boot floppies.
- To: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>
- Cc: debian-68k@lists.debian.org, debian-boot@lists.debian.org, debian-powerpc@lists.debian.org, stepan@linux.de, Frank.Neumann@informatik.uni-oldenburg.de
- Subject: Re: amiga-fdisk 0.4 and debian/potato boot floppies.
- From: Sven LUTHER <luther@dpt-info.u-strasbg.fr>
- Date: Tue, 25 Jan 2000 15:53:59 +0100
- Message-id: <[🔎] 20000125155359.C11475@dpt-info.u-strasbg.fr>
- Mail-followup-to: Roman Hodek <Roman.Hodek@informatik.uni-erlangen.de>, debian-68k@lists.debian.org, debian-boot@lists.debian.org, debian-powerpc@lists.debian.org, stepan@linux.de, Frank.Neumann@informatik.uni-oldenburg.de
- Reply-to: luther@dpt-info.u-strasbg.fr
- In-reply-to: <[🔎] 200001251439.PAA14396@faui22c.informatik.uni-erlangen.de>; from Roman.Hodek@informatik.uni-erlangen.de on Tue, Jan 25, 2000 at 03:39:40PM +0100
- References: <[🔎] 20000125150659.A10552@dpt-info.u-strasbg.fr> <[🔎] 200001251439.PAA14396@faui22c.informatik.uni-erlangen.de>
On Tue, Jan 25, 2000 at 03:39:40PM +0100, Roman Hodek wrote:
>
> > But the changelog of amiga-fdisk says that it got to use libreadline
> > instead of gets because gets is buggy, or pose a security hazard, or
> > whatever.
>
> Yes, gets() is dangerous because it doesn't check the bounds of the
> input buffer. One should use fgets() instead, e.g.:
>
> +#ifdef DONT_USE_READLINE
> +char *readline (const char *prompt)
> +{
> + char buffer[1024];
> + char *s;
> + int size;
> + printf ("%s",prompt);
> + fflush (stdout);
> + fgets (buffer, sizeof(buffer), stdin);
> + size = strlen (buffer);
> + s = malloc ((size+1)*sizeof(char));
> + s = strcpy (s, buffer);
> + fflush (stdin);
> + return s;
> +}
> +#endif
>
> This is sufficiently safe.
This doesn't check the bounds also, isn't it ? And is gets not implemented as
fgets (stdin) ?
Friendly,
Sven LUTHER
Reply to: