Thread: gets controversary

  1. #1
    Registered User
    Join Date
    Jul 2002
    Posts
    28

    gets controversary

    I direct this thread spacifically to Sebastiani, Hammer or Prelude
    who seem to know their C code.

    I'm new to this forum and I note that several contributers don't like
    the "gets" command. I write industrial C code on Unix and use:

    // CODE
    gets(input);
    sscanf(input, "%s", input);

    exclusively to get input from the user.

    My code gets run several hundred thousand times a year and I've never had a problem with this sequence.

    I also use:

    // CODE
    fgets(fd, length);
    sscanf(input, "%s", input);

    to read from files with no problems.

    Is there some problem with "gets" that I should know about?


    note:
    I used:
    void main(void)
    in my example but would never use that line in a real program.

    This line would normally be:
    int main(int argc, char *argv[])

    Also I'm writing this from memory at 1:30 in the morning so excuse any stupid mistakes.

  2. #2
    End Of Line Hammer's Avatar
    Join Date
    Apr 2002
    Posts
    6,231
    >I write industrial C code on Unix
    So do I

    >int main(int argc, char *argv[])
    Yep, that's a better way. I also use
    >int main(void)
    if I don't want to bother with the command line args.
    If you're posting code here as an answer to a question, try and make it as "correct" as you can, because most people here are newbies that don't know any better, and will take your code as being the way to go. We try to correct everyone that uses incorrect syntax like this, so we get a common feel across the board.

    Now, down to gets(). The problem is simply that it allows the buffer to overflow if the user enters too much data. For example, if you have
    >char name[10];
    >gets(name);
    and the user enters their name as a string of 20 characters, the gets() function will load all 20 bytes into memory at the start of the array. Because the array is only 10 bytes long, this will mean that the last few bytes are written outside the array bounds. This section of memory may, or may not be owned by your program. It may, or may not, cause the application that owns that memory to crash immediately, or at some point later on. It may also do nothing, if no application cares about that particular chunk of memory. Of course, the owning application could be the OS itself, so in theory you could lock up the host completely.

    The worst example, and is one that happens all the time, is the exploitation of this type of bug as a security breach. Say for example your program requires to run with root privilages (via setuid). If the user is clever enough (and yes there is such a thing!), they can cause a buffer overflow, and take control of your program. This is done via altering vital information of the OS's stack where your program is being run. It is possible for the user to cause your program to spawn or become a command shell. At this point, the user will have a shell prompt running with root privilages that were inherited from your program. This type of bug is normally caused by incorrect use of strcpy(), where the source string is way longer than the target.

    This type of exploitation (unchecked buffers) has been seen in many professional applications (eg Microsoft web servers).

    Please don't ask too much about the details on this, cracker threads are not allowed on this board, and will get deleted by the Mods, and rightly so.
    When all else fails, read the instructions.
    If you're posting code, use code tags: [code] /* insert code here */ [/code]

  3. #3
    Registered User foniks munkee's Avatar
    Join Date
    Nov 2001
    Posts
    343
    Code:
    gets(input); 
    sscanf(input, "%s", input);
    What compiler/platform are you using? I would have thought in a Unix environment your compiler would complain about gets() saying it is unsafe to use.
    "Queen and huntress, chaste and fair,
    Now the sun is laid to sleep,
    Seated in thy silver chair,
    State in wonted manner keep."

  4. #4
    Registered User pinko_liberal's Avatar
    Join Date
    Oct 2001
    Posts
    284
    I think people started to look upon gets suspiciously after the internet worm attack of 1988.
    http://www.cs.utexas.edu/users/dsb/D...rm/lecture.htm
    The one who says it cannot be done should never interrupt the one who is doing it.

  5. #5
    Sayeh
    Guest
    Actually, and particularly since you are working with UNIX, why don't you open the sourcefile for your compiler library that contains 'gets()' and look at the actual sourcecode.

    If you are really that good, you'll find the problem if there is one, not if not.

    trivial. The truth is in there...

Popular pages Recent additions subscribe to a feed