if one complains about gets(), why not do the same with scanf(“%s”,…)?

前端 未结 5 647
情深已故
情深已故 2021-01-06 03:57

From man gets:

Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters ge

相关标签:
5条回答
  • 2021-01-06 04:07

    I am not sure why the man page for scanf doesn't mention the probability of a buffer overrun, but vanilla scanf is not a secure option. A rather dated link - http://blogs.msdn.com/b/rsamona/archive/2005/10/24/484449.aspx shows this as the case. Also, check this (not gcc but informative nevertheless) - http://blogs.msdn.com/b/parthas/archive/2006/12/06/application-crash-on-replacing-sscanf-with-sscanf-s.aspx

    0 讨论(0)
  • 2021-01-06 04:12

    Using gets() is never safe. scanf() can be used safely, as you said in your question. However, determining if you're using it safely is a more difficult problem for the compiler to work out (e.g. if you're calling scanf() in a function where you pass in the buffer and a character count as arguments, it won't be able to tell); in that case, it has to assume that you know what you're doing.

    0 讨论(0)
  • 2021-01-06 04:13

    It may be simply that scanf will allocate space on the heap based on how much data is read in. Since it doesn't allocate the buffer and then read until the null character is read, it doesn't risk overwriting the buffer. Instead, it reads into its own buffer until the null character is found, and presumably copies that buffer into another of the correct size at the end of the read.

    0 讨论(0)
  • 2021-01-06 04:18

    The answer is simply that no-one has written the code in GCC to produce that warning.

    As you point out, a warning for the specific case of "%s" (with no field width) is quite appropriate.

    However, bear in mind that this is only the case for the case of scanf(), vscanf(), fscanf() and vfscanf(). This format specifier can be perfectly safe with sscanf() and vsscanf(), so the warning should not be issued in that case. This means that you cannot simply add it to the existing "scanf-style-format-string" analysis code; you will have to split that into "fscanf-style-format-string" and "sscanf-style-format-string" options.

    I'm sure if you produce a patch for the latest version of GCC it stands a good chance of being accepted (and of course, you will need to submit patches for the glibc header files too).

    0 讨论(0)
  • 2021-01-06 04:24

    When the compiler looks at the formatting string of scanf, it sees a string! That's assuming the formatting string is not entered at run-time. Some compilers like GCC have some extra functionality to analyze the formatting string if entered at compile time. That extra functionality is not comprehensive, because in some situations a run-time overhead is needed which is a NO NO for languages like C. For example, can you detect an unsafe usage without inserting some extra hidden code in this case:

    char* str;
    size_t size;
    scanf("%z", &size);
    str = malloc(size);
    scanf("%9s"); // how can the compiler determine if this is a safe call?!
    

    Of course, there are ways to write safe code with scanf if you specify the number of characters to read, and that there is enough memory to hold the string. In the case of gets, there is no way to specify the number of characters to read.

    0 讨论(0)
提交回复
热议问题