Re: Security in a shell that starts ssh

To: debian-security@lists.debian.org
Subject: Re: Security in a shell that starts ssh
From: Daniel Ginsburg <dg@warpsolutions.com>
Date: Thu, 14 Jun 2001 01:35:39 +0400
Message-id: <[🔎] 20010614013539.A4167@cloud.warpsolutions.ru>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20010613161027.D2048@molehole.moregruel.net>; from stevegr@debian.org on Wed, Jun 13, 2001 at 04:10:27PM -0500
References: <[🔎] 20010613204756.A1761@koan.dhs.org> <[🔎] 20010613161027.D2048@molehole.moregruel.net>

On Wed, Jun 13, 2001 at 04:10:27PM -0500, Steve Greenland wrote:
> On 13-Jun-01, 13:47 (CDT), Tim van Erven <tripudium@chello.nl> wrote: 
> > > On Wed, Jun 13, 2001 at 10:57:08AM -0500, Steve Greenland wrote:
> > > > > int main()
> > > > 
> > > > int main(void)   /* () != (void) in C */
> > 
> > The comp.lang.c faq (http://www.faqs.org/faqs/C-faq/faq/) says it's ok.
> 
> Where does it say this? The only thing I can see is under 11.12, where
> it says "main must be declared as returning an int, and as taking either
> zero or two arguments, of the appropriate types." That means either 'int
> main(void)' or 'int main(int argc, char *argv[])' (or 'char **argv'
> or some other compatible variations). 'int main()' has unspecified
> arguments, not zero.
>

11.12a: What's the correct declaration of main()?

A:      Either int main(), int main(void), or int main(int argc,
        char *argv[]) (with alternate spellings of argc and *argv[]
        obviously allowed).  See also questions 11.12b to 11.15 below.

        References: ISO Sec. 5.1.2.2.1, Sec. G.5.1; H&S Sec. 20.1 p.
        416; CT&P Sec. 3.10 pp. 50-51.

> Or does it? Since it's a definition, not a declaration, it *is* a
> function with no arguments. OTOH, the standard specifically says main
> should be either 'int main(void)' or 'int main(int argc, char **argv)'.

Exactly because it's definition int main() is correct too, but spelling it
as int main(void) is better style IMHO.

> I think I may ask about this on comp.std.c.

Oh no, not again! :)

[snip]
> 
> > > Possible access to unallocated memory if "\0\n" supplied as input.
> > 
> > Only if strlen(name) = 0 and besides from being hard to achieve when
> > entering data on stdin, fgets will return 0 if that happens.
> 
> But not if you feed it a file.
> 

Or socket, or whatever.
BTW, fgets will have non-NULL return value if that happens. Unfortunately
fgets won't report number of characters read. So it's better resort to
reading one character at time with fgetc if it's important to know how much
data we got.

> > No comments about my spelling mistake ('to long')? Personally I
> > considered that the worst offence. Btw, I should start posting all my
> > code to this list. That would *really* fix-up my coding habbits. :)
> 
> debian-codereview@lists.debian.org anyone? The place I used to work did
> code reviews for a short while: humbling and immensely valueable. I
> don't know why we got out of that habit; probably someone decided it
> "took too long", as if fixing bugs in released products was cheap.
> 

Ah, now try to convince people to submit their code for review. :)
Unfortunately many people take comments on their coding style as personal
offense :(

-- 
dg

Reply to:

References:
- Re: Security in a shell that starts ssh
  - From: Tim van Erven <tripudium@chello.nl>
- Re: Security in a shell that starts ssh
  - From: Steve Greenland <stevegr@debian.org>

Prev by Date: Re: Security in a shell that starts ssh
Next by Date: Re: Security in a shell that starts ssh
Previous by thread: Re: Security in a shell that starts ssh
Next by thread: Re: Security in a shell that starts ssh
Index(es):
- Date
- Thread