Re: Standards for developing secure software

From: Luciano Miguel Ferreira Rocha (strangeat_private-ip.org)
Date: Mon Jan 27 2003 - 12:01:15 PST

Next message: Jeff Williams: "malicious code"

Previous message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"
In reply to: jasonk: "RE: Standards for developing secure software"
Next in thread: Ben Pfaff: "Re: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jan 25, 2003 at 11:48:29PM +1100, jasonk wrote:
> > What if the string length is negative? (and yes, I've seen a C
> strlen()
> > return a negative value, when another thread trashed the stack and
> > corrupted
> > the return value).
> 
> Even better, and sticking with the whole *point* of the idea: what if
> the string length is NOT between 1 and some defined normal maximum?
> What if it contains letters other than a-z & A-Z?
The length is an integer value, it doesn't contain letters nor numbers,
it's not a string, just a value.

> Isn't this the whole point of the exercise?  Catch everything you need
> and drop the rest ..
And check everything you do catch.

Regards,
Luciano Rocha

-- 
Consciousness: that annoying time between naps.

Next message: Jeff Williams: "malicious code"
Previous message: Valdis.Kletnieksat_private: "Re: Standards for developing secure software"
In reply to: jasonk: "RE: Standards for developing secure software"
Next in thread: Ben Pfaff: "Re: Standards for developing secure software"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 13:08:00 PST