On 9 April 2014 18:05, Liam Proven <lproven@xxxxxxxxx> wrote: > On 9 April 2014 17:19, Tim <ignored_mailbox@xxxxxxxxxxxx> wrote: >> Only the other day I was thinking similarly: That almost every exploit >> that I read about, over the last umpteen years, was a buffer overflow; >> and why is it so? Are programmers such morons that they accept all data >> without care, rather than only accept what you actually expect? > > > No. It's because the entire world of modern computing is built on C, a > programming language that is a sort of portable assembly-language but > with pointer arithmetic, a language so brain-dead that it lets you > assign element 31 in an array of 30 elements, or write to the 42nd > character of a 40-character string. And which encourages programmers > to arithmetically manipulate pointers to data in memory directly, > which compels programmers to do their own memory-management manually. > To be clear on a couple of things. The array access that C provides is what you would get with assembly language (not "but lets you perform pointer arithmetic"), and actually a feature, not some brain-dead mistake, though maybe not a feature most people need. Second, heartbleed is not a buffer writing bug, it's *reading* past the end of an array. The patch check has been added against a length field they already have, so this was a mistake of trusting the supplied request and maybe not realising there could be a problem. This bug was pretty bad, but the kind of mistakes that lead to overflows and over-reads tend to be from not keeping track of the data properly and will cause other problems anyway, memory protection doesn't help with those. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
