[kman42]

I'm running a cli app that gives me this warning:

warning: this program uses gets(), which is unsafe.


Can someone tell me what's wrong with gets()?

thanks,
kman

[Mithras]

[ mithras@jukebox ] man gets

... snipped ...

BUGS
Since it is usually impossible to ensure that the next input line is less
than some arbitrary length, and because overflowing the input buffer is
almost invariably a security violation, programs should NEVER use gets().
The gets() function exists purely to conform to ISO/IEC 9899:1990
(``ISO C89'').

So i guess it's hackable, only really worrisome if the program accepts input from the network, or strangers.

[WJMoore]

Buffer overflow is the problem. gets() will keep writing into a buffer after the end of the buffer causing the potential for a buffer overflow - a frequent cause of security updates on programs. You should use fgets() which takes a length argument and will never read more characters than this length and therefore won't overflow.

Wesley

[Richard Edgar]

So i guess it's hackable, only really worrisome if the program accepts input from the network, or strangers

Well, there is such a thing as getting into good habits. gets() should never have got into the standard in the first place (it dates from two years after the Internet Worm). I find it amusing that it is still in the C99 standard (or was, last time I checked).