0

I made the following code and i want to know if this is the best method of string input in C from security and bug free point of view.

#include <stdio.h>
#include <string.h>

#define MSG_LEN 25

int main(){

  char msg[MSG_LEN];
  int i;
  
  while(1) {
    putchar(':');
    fgets(msg, MSG_LEN, stdin);
    for(i = 0; i < strlen(msg); i++){
    putchar(msg[i]);}
    if (strlen(msg) == MSG_LEN - 1) putchar('\n');
    while (strlen(msg) == MSG_LEN - 1) fgets(msg, MSG_LEN, stdin);
  }
  return 0;
}

Finally i found the solution for my question after bumping my head against the wall for some time. Anyone got any improvement for this code? I give most of credit to Simon Goater.

CiberNux
  • 3
  • 3
  • 1
    *"The only bug i can point to is the string array overflow over 25 characters."* -----> ```fgets``` will read at most ```n - 1``` bytes. So there's no possibility of overflowing the buffer that I know of. – Harith Jan 22 '23 at 12:49
  • ok. So is this the best string method of input? – CiberNux Jan 22 '23 at 13:01
  • See: https://stackoverflow.com/q/9278226/20017547 – Harith Jan 22 '23 at 13:04
  • The only other point I can see is that the input will be truncated if it contains a null character. But it should be fine if it's only meant to handle plain text. It's not a security bug. – Nate Eldredge Jan 22 '23 at 15:52

1 Answers1

0

The main issues with user input in c are avoiding buffer overflows, which your code does, and draining/truncating the input that is longer than the given buffer allows. If you don't drain the remaining data, it can be read in again without blocking on the next fgets and give undesirable results. I've modified your code to loop so that the draining feature can be shown.

#include <stdio.h>
#include <string.h>

#define MSG_LEN 25

int main(){

  char msg[MSG_LEN];
  while(1) {
    puts(":");
    fgets(msg, MSG_LEN, stdin);
    printf("%s", msg);
    if (strlen(msg) == MSG_LEN - 1) printf("\n");
    while (strlen(msg) == MSG_LEN - 1) fgets(msg, MSG_LEN, stdin);
  }
  return 0;
}
Simon Goater
  • 759
  • 1
  • 1
  • 7
  • I don't like the printf in your code i see on youtube that is a security problem. But i don't know if they were refering to the printf or scanf buffer overflow – CiberNux Jan 22 '23 at 14:46
  • 1
    It can be a problem where the string is not null terminated, but in this case it is. If you can tell me how it is vulnerable here, I would be very interested because I think it is okay. – Simon Goater Jan 22 '23 at 15:08
  • It was in David Bombal youtube channel were he talks to a woman security expert that wrote a book and she says that, what schools start to teach students like printf is outdated and is a security issue. – CiberNux Jan 22 '23 at 15:20
  • 1
    @CiberNux: There are certainly ways of using `printf` that do have security problems, e.g. if the attacker can control the format string. But if the format string is a simple constant `%s` then there should be no issue. Sure, in some sense it is outdated - in some sense the entire C language is outdated - but it's not inherently a security issue. – Nate Eldredge Jan 22 '23 at 15:50
  • Could you please do a mixture of your code with mine without printf? I will give thumbs up if you do it. – CiberNux Jan 22 '23 at 15:58
  • So you say C is all outdated do you think is bad idea I'm learning? – CiberNux Jan 22 '23 at 16:07
  • I heard C programmers try to get routines and sometimes buy them to get around C language input limitations. Maybe a combination of both is a perfect routine for many jobs. What you think? – CiberNux Jan 22 '23 at 16:14
  • @CiberNux, I think all Nate was trying to say is that the C language has a pretty long history, and parts of it reflect that. I am confident that no one here is opining one way or another on whether you should study C. – John Bollinger Jan 22 '23 at 16:52
  • On the other hand, I definitely suggest that you not try to learn C *from YouTube videos*. The quality and correctness of such videos vary widely, and novices such as yourself are not well equipped to distinguish the better ones from the utter garbage. Moreover, it's easy for a novice to miss or misunderstand key points that color the material being delivered. Find a well-reputed textbook or online course, or take courses at decent university. – John Bollinger Jan 22 '23 at 16:57
  • i don't study C from youtube. I study from well know books from amazon on the subject. The code in the question was part taken from "C Programming Absolute Beginners Guide" from Greg Perry and Dean Miller. A very good reputation reference book about C language. I don't have money for courses and not enough school to enter university. I trying to learn by myself and my own weak and poor resources. – CiberNux Jan 22 '23 at 18:30
  • I'm Portuguese. I only have 9ª grade in school and as you can see my english is not bad. But althrough still a barrier for learning C and some technical terms. Some things Nate said i did not understand very well but have an idea what hes saying. – CiberNux Jan 22 '23 at 18:43
  • Also i find the various technical names applied to only one specific situation and point are confusing but i already know some in english that are the most used and correct. – CiberNux Jan 22 '23 at 18:56
  • Some designations know: commands functions comments switch case for while do-while Operators arithmetic logical relacional compound assigment increment decrement condicional Data types integer char string floating point number control string Arrays elements subscripts null zero string terminator backslash zero binary zero format specifier or place holders: %s, %d, %f, %c. pointer &. preprocessor directives #include stdio.h, stdlib.h time.h math.h string.h ctype.h escape sequences "myheader.h" #define CONSTANT break; continue; printf scanf fgets puts gets putchar getchar – CiberNux Jan 22 '23 at 19:21
  • Also when someone shows code that i never saw i have i little hard time understanding and to try to read it even when i know all symbols meanings and operations and priorities. for instance = is assigning a value == is comparing. but still i find confusing – CiberNux Jan 22 '23 at 19:34
  • Simply not using functions like printf just because they can cause problems in some scenarios is no way to approach c programming. Essential functions like malloc and free can cause problems if not used correctly. C is a difficult language for beginners to code well in because you need to know the dangers of what your doing all the time. If you don't need the performance or low level control of c, it would probably be better to choose a different language, in my opinion. – Simon Goater Jan 23 '23 at 13:00