LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 05-08-2005, 11:39 AM   #1
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Rep: Reputation: 31
reading a char string of variable size in C


ok .. so we want to read a char string of a variable size ..

int BUF_SIZE;
char *buf;

we first get the BUF_SIZE:

scanf("%d", &BUF_SIZE);

we make room for the buffer:

buf = (char*) malloc(BUF_SIZE);

.. this gives segmentation fault:

fscanf(stdin, "%s", buf);

.. what is the correct way to read the char string into buf ?
 
Old 05-08-2005, 12:30 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,078

Rep: Reputation: 297Reputation: 297Reputation: 297
A couple points:

(1) don't cast the return value of malloc. This can mask subtle coding errors if you forget to include stdlib.h

(2) fscanf(stdin, "%s", buf); is classic insecure (prone to buffer overflow exploit) code. What if the user enters more than BUF_SIZE data?

You can use the GNU readline function if you're writing GNU code, otherwise, it's not terribly tough to hack together your own readline lib (I did it awhile ago). Basically malloc a buffer of a certain size and then read one character at a time from input. Keep track of how many characters you read. When you're running low on space, realloc the buffer to a larger size. You may want to set some global maximum buffer size to prevent out of control usage. Also don't forget the terminator at the end of the string!
 
Old 05-08-2005, 12:35 PM   #3
introuble
Member
 
Registered: Apr 2004
Distribution: Debian -unstable
Posts: 700

Original Poster
Rep: Reputation: 31
hm.. I was under the impression that fscanf was secure .. so the only way to read a char string securely is to implement your own "readline" (or use the FSF readline ...) ?

since we are .. "in topic" .. is there any "list" with insecure functions/common security mistakes in C programming ? (the more technically detailed the better)
 
Old 05-08-2005, 01:07 PM   #4
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,078

Rep: Reputation: 297Reputation: 297Reputation: 297
You can make scanf and friends more secure by not allowing arbitrary length strings as input. For instance scanf("%10s", buffer) will only read 10 characters at most in. You do need to pick the number at compile time though. You can also use fgets which allows you to specify a maximum size. But you can't expand that size if you get more data than you expect, so you wind up implementing a readline-like library if you care about getting everything.

I'm not sure about a list like you describe, but there's lots of good info in the comp.lang.c FAQ.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
C# convert char array to string exodist Programming 3 09-16-2008 08:06 AM
How to convert string to char? twirl Programming 27 10-13-2005 07:11 AM
c++ : replacing a char in a string cb951303 Programming 17 06-06-2005 05:48 PM
prepend char to a string schneidz Programming 6 06-01-2005 08:53 AM
Convert C++ string to C char* nyk Programming 3 06-17-2004 08:15 AM


All times are GMT -5. The time now is 08:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration