vulnerabilities

[jacob navia]

Undefined behavior in C (N869 7.1.3#2, see also #1 and 7.21.6.1).
Not sure about C++, but at best highly antisocial there.

The compiler did not issue any warning, nor error.

Undefined behavior in C (N869 5.1.2.2.1#1).

That is irrelevant since this is C++

I believe this is a constraint violation in C++, though I'm not
sufficiently familiar with C++ standardese to be sure; in any case it
violates 3.6.1#2 of the draft C++ standard I'm looking at.

No complaints from the compiler

No pretending needed; it's neither legal C++ nor legal C.


dave

Maybe. You think that the program would not crash if i would
have written
int main (void) ???

The point I want to convey with this example is that
C++ has basically the same syntax of C in many aspects
and that therefore the problems associated with raw pointer handling
and buffer overflows will happen in C++ too.

 

[jacob navia]

But that equivalent syntax does not always have the same semantics.

Yes, it is a tricky business, but in most cases, the language is still
the same.

I can do a buffer overflow in C++ in no time, just as in C.

That is what I wanted to say, not anything else.

 

[Mike Wahler]

Well, this is C++, not C. I got used to main returning
automatically zero and forgot to assign the result.
The compiler complained and say I should use void
instead, what I did.

The compiler is wrong, for either C or C++.

-Mike

 

[Mike Wahler]

The compiler did not issue any warning, nor error.


That is irrelevant since this is C++

No complaints from the compiler


Maybe. You think that the program would not crash if i would
have written
int main (void) ???

The point I want to convey with this example is that
C++ has basically the same syntax of C in many aspects
and that therefore the problems associated with raw pointer handling
and buffer overflows will happen in C++ too.

Syntax has nothing to do with it.

-Mike

 

[Mike Wahler]

it will not compile in C++. But I said "*most*" of C89 is accepted
not *all*.

Since you can write programs in strict C in C++ (the whole C89
standard is quite accepted), and even if not used by C++
programmers, C is still in the specs of C++, so any C
vulnerabilities are in C++ also.

-Mike

 

[Mark McIntyre]

Well, this is C++, not C. I got used to main returning
automatically zero and forgot to assign the result.
The compiler complained and say I should use void
instead, what I did.

If this is C++, and your compiler accepted it, nay required you to change
it, then your compiler is junk. AFAIR C++ explicitly forbids main from
returning void.

 

[Dave Vandervies]

The compiler did not issue any warning, nor error.

Irrelevant; "undefined behavior" != "compiler must issue a diagnostic".

That is irrelevant since this is C++

Since you're claiming a similarity between C and C++, the fact that
you're apparently incapable of writing correct code in either is not at
all irrelevant.

[Apparently violating a `shall' is the C++ standardese equivalent of C's
`constraint violation' except where it's specified otherwise, so this
is correct.]

, though I'm not
No complaints from the compiler

Then it's not a C++ compiler.

But I think we've recently had, if not this discussion, one isomorphic
to it, and I don't expect you to be any more capable of absorbing Clue
here than you were there.

Maybe. You think that the program would not crash if i would
have written
int main (void) ???

It still would have invoked undefined behavior in a few other places, so
whether or not it crashes would still have been questionably relevant at
best, but at least you would have had a chance at getting your credibility
all the way up to "not obviously zero" if you had avoided the blatantly
obvious mistakes.

The point I want to convey with this example is that
C++ has basically the same syntax of C in many aspects
and that therefore the problems associated with raw pointer handling
and buffer overflows will happen in C++ too.

Java has basically the same syntax as C in many aspects as well.
Pointer handling and buffer overflows have nothing to do with syntax.


dave

 

[Kelsey Bjarnason]

[snips]

The compiler did not issue any warning, nor error.

A compiler is not required to issue any messages on undefined behaviour,
so that means nothing.

That is irrelevant since this is C++

And C++ allows void main? I don't think so.

No complaints from the compiler

Again, so what?

Maybe. You think that the program would not crash if i would have
written
int main (void) ???

It may well have. The point is that by invoking undefined behaviour, you
explicitly tell the compiler you don't give a rat's rear *what* happens
when the code is run. Crash, setting your computer on fire, causing
visits from the in-laws, even appearing to work correctly, it's all
acceptable as far as you're concerned.

The point I want to convey with this example is that C++ has basically
the same syntax of C in many aspects and that therefore the problems
associated with raw pointer handling and buffer overflows will happen in
C++ too.

Except that syntax is largely a trivial thing. Again, look at the malloc
example; syntactically, it is correct in each language, but it won't even
compile in C++.

 

[Kelsey Bjarnason]

[snips]

Well, this is C++, not C. I got used to main returning
automatically zero and forgot to assign the result.
The compiler complained and say I should use void
instead, what I did.

Then your compiler is broken. main returns int. Not void, not
std::string, not a vector of structs, int.

 

[Kelsey Bjarnason]

[snips]

int main(void) {
char new[2];

new[0] = sizeof '1';
return 0;
}

which won't compile under C++, and if you change the name of new
won't give the right answer. These things are elementary.

Not sure what "the right answer" here is supposed to be; sizeof a
character literal is equivalent to sizeof(int) in C, sizeof(char) in C++,
but, last I checked, those sizes may be identical in either language.

 

[Keith Thompson]

void main(void)

^^^^
Now why in the world would *you* post something so ridiculous?

{
char p[2];

memset(p,0,123546);
printf("not reached \n");
}

Will you pretend that this is not legal C++?
It compiles perfectly and crashes as it should.

There's no "should" involved with undefined behavior.

Well, this is C++, not C. I got used to main returning
automatically zero and forgot to assign the result.
The compiler complained and say I should use void
instead, what I did.

Your compiler saw a function declared to return int, but not returning
a value. For any function other than main, there are two sensible
solutions: either add a return statement, or change the declaration
from int to void. Your compiler foolishly suggested only one of the
two possible fixes (there's really no way for it to know which is
correct without more context). Even more foolishly, it ignored the
fact that the function being compiled happens to be main, which must
return int -- and which, in C++, doesn't require an explit return (if
I recall correctly).

If you're familiar with C but not with C++, it's understandable that
you might incorrectly assume that C++, unlike C, allows void main,
especially given a sufficiently stupid diagnostic from a C++ compiler.
But since your code was intended to be valid C and valid C++, and
since you follow this newsgroup, I'm at a loss to understand why you
would post a program that uses void main.

 

[jacob navia]

Please, that wasn't the point of that code.

The point is that C++ has the same vulnerabilities as C, since
most of C is included in C++ anyway: naked pointers,
buffers, manual memory management, etc etc.

If I would have written int main(void) the program will
crash anyway. Yes, as I learn now, C++ needs int main(void)
as C. OK. I made a trivial mistake, and the compiler
accepted that.

Couldn't we get to my point: the program crashes, and I can inject
code into the stack in C++ just as in C.
They share all vulnerabilities.

That is the subject matter of the discussion. OK I can understand
that somebody trips at "void main(void)", but let's come
back to the discussion about vulnerabilities!

I see that since nobody has given any arguments why C++ should
be exempted from the same problems that C has, that my point has been
accepted.

jacob

 

[Keith Thompson]

Yes, it is a tricky business, but in most cases, the language is still
the same.

I can do a buffer overflow in C++ in no time, just as in C.

That is what I wanted to say, not anything else.

Then perhaps that's all you should have said. Your point was valid,
but you supported it with invalid examples. (It's the nature of this
newsgroup, as you know, to pounce on errors.)

 

[Keith Thompson]

Will you pretend that this is not legal C++?
It compiles perfectly and crashes as it should.

C has no concept of "crashes as it should". Undefined behavior is
undefined behavior. (I think the same is true of C++.)

 

[Keith Thompson]

In the literature, the distinction is not done at all.
For instance, one of the most complete papers about this subject
"Code injection in C and C++: A survey of vulenrabilities and
Countermeasures" by Younan, Joosen and Piessens makes no
distinction at all between C or C++ (July 2004)
Url:
http://www.cs.kuleuven.ac.be/publicaties/rapporten/cw/CW386.pdf

If the literature is talking about vulnerabilities, it probably
doesn't need to distinguish between C and C++. The languages are
close enough that they're likely to have the same set of
vulnerabilities. (C++ may add new ones with its features that don't
appear in C; that's a topic for another newsgroup.)

But I said "*most*" of C89 is accepted not *all*. This examples are
trivial.

If you had actually said that, we wouldn't be having this discussion.

If you make an error while making a valid point, you can expect us to
point out the error. If you later claim not to have committed the
error, you can expect to be flamed.

 

[jacob navia]

If you make an error while making a valid point, you can expect us to
point out the error. If you later claim not to have committed the
error, you can expect to be flamed.

OK. You are right.

I made a mistake when writing that example.

Sorry about that guys.

 

[Keith Thompson]

Please, that wasn't the point of that code.

We understand that, but you've been hanging out here long enough to
know that errors, even ones not relevant to your main point, will not
be ignored. The only way to avoid that is to be knowledgeable and
careful enough to avoid making errors in the first place. The
second-best solution (one I've often used) is to admit your errors
when they're pointed out.

The point is that C++ has the same vulnerabilities as C, since
most of C is included in C++ anyway: naked pointers,
buffers, manual memory management, etc etc.

If I would have written int main(void) the program will
crash anyway. Yes, as I learn now, C++ needs int main(void)
as C. OK. I made a trivial mistake, and the compiler
accepted that.

The program exhibits undefined behavior. You cannot conclude from the
standard that it will crash.

I actually agree with the point you were originally trying to make.
I haven't discussed it further because I don't have much more to say
about it.

 

[Elliott Back]

Hello

I want to make a list of all the vulnerabilities in C/C++.
I am aware of bufferoverflow/heapoverflow/race conditions/format string bugs/
Off-by-one/ numeric under- and overflow/ unsigned-signed mismatch

Are there other vulnerabilities in c/c++??

thx

A language doesn't have a "vulnerability." Vulnerabilities are
properties of poorly written programs. To enumerate the ways in which a
program can be poorly written is ... tedious. You could things like
"data injection" and "data execution" to your list, if you wanted, but
this only scratches the surface of the wrong things you can do in C.

 

[Dan Pop]

But since your code was intended to be valid C and valid C++, and
since you follow this newsgroup, I'm at a loss to understand why you
would post a program that uses void main.

You're ignoring the obvious explanation: his disregard for *any* standard.
void main works on his compiler and this is good enough for him.

Dan

 

[Dan Pop]

If I would have written int main(void) the program will
crash anyway. Yes, as I learn now, C++ needs int main(void)

^^^^^^^^^^^^^^

as C. OK. I made a trivial mistake, and the compiler
accepted that.

Couldn't we get to my point: the program crashes, and I can inject

The *real* point is that you're talking about a language you do not know.
Only fools do that.

Dan