Re: Standards for developing secure software

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Mon Jan 27 2003 - 12:01:15 PST

  • Next message: Jeff Williams: "malicious code"

    On Sat, Jan 25, 2003 at 11:48:29PM +1100, jasonk wrote:
    > > What if the string length is negative? (and yes, I've seen a C
    > strlen()
    > > return a negative value, when another thread trashed the stack and
    > > corrupted
    > > the return value).
    > 
    > Even better, and sticking with the whole *point* of the idea: what if
    > the string length is NOT between 1 and some defined normal maximum?
    > What if it contains letters other than a-z & A-Z?
    The length is an integer value, it doesn't contain letters nor numbers,
    it's not a string, just a value.
    
    > Isn't this the whole point of the exercise?  Catch everything you need
    > and drop the rest ..
    And check everything you do catch.
    
    Regards,
    Luciano Rocha
    
    -- 
    Consciousness: that annoying time between naps.
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 13:08:00 PST