7

I was programming in java, C# and similar languages for years now and I never knew how the buffer overflow exploits would work, then I started C and saw the fixed size char arrays. After puking on my keyboard I realized that most of the vulerable programs were indeed written in C or similar languages.

Comments
  • 1
    Yes Java and c# are managed environments - they have their own runtime that protects from things like this.
  • 1
    @spl0 Yea I know. And of course it can also be an advantage that C "trusts" the programmer to write secure code, but when you are used to languages that do all the memory managing and checks for you, it is quite painfull to write code in C. Just the fact that "strings" can't resize dynamicly is so annoying. :S
  • 3
    @darkfire000 At some point though, you have to have some language that accesses the bare metal, so to speak!
  • 1
    @spl0 That is why I do learn it. The low level access can be quite usefull. Also I use C for programming microcontrollers. I used to do that in ASM but it takes a lot less time in C.
  • 1
    @darkfire000 I thought strings were immutable in Java?
  • 1
    @nmunro Yes but you can still do things like:
    String s = "hello";
    s += "123";
    Or
    String s = "hello";
    s = "hello123"

    In C the first is not possible at all and the second would just write into the next memory sections. Java automaticly adjusts the memory allocations.
  • 1
    Yes, they're still new string objects though. I mean I know what you're saying in that in C you can't create a new string object bigger than the size of the original string object, but I guess I'm one of those "actually to be technical" types.

    It's OK, I openly admit I'm a bit of a dick, I don't mind if you have that option of me.
  • 1
    @darkfire000 hmm...

    #include <string.h>
    char s[100];
    strcpy(s, "hello");
    .
    .
    strcat(s, "123");
  • 1
    @spl0 Exactly that's the point. It is possible, but it does not look nearly as good. And if the string is for some reason longer than 100 you have a buffer overflow :O
  • 1
    @darkfire000 ah, I misunderstood. I thought you said it wasn't possible to append to strings in C. It is as long as there is enough memory allocated originally.

    Obviously you have to manage memory yourself, hence realloc() etc.

    I think C strings are quite good, but they get a bad press due to programmers misusing them!
  • 1
    @spl0 Of course it is possible and I don't want to talk bad about C string or C in general. My point was just that it is more work to use strings in C than it is for example in java. Where you can just append by using += you need to call functions, etc. And the memory management can be quite annoying when beginning to learn C :D
Add Comment