CERT Advisory CA-2001-16

[John Chambers]

| Excellent answers!  Thanks guys.
|
| I wonder if this is a good argument for implementing network services in
| Java?

Not really.  The real problem in  C  is  the  library  routines  that
implement  unbounded  input.  But each such routine is matched by one
that has a size parameter.  All you have to do is use  the  functions
that have such a parameter. Instead of gets(), you'd use fgets(), for
example.  This is a few more characters to type, but  it  avoids  the
problem entirely.  Java is one of a great many languages that prevent
such problems by not allowing unchecked array  references.   But  the
cost  of checking all array references is part of why those languages
don't match the performance of C code.

OTOH, if getting the best performance isn't an issue,  and  you  have
java  programmers on hand, there's no reason not to use java, or perl
or tcl or python for that matter.  Network services do tend  to  have
their speed limited by network connection and transfer times, and the
speed of the code is usually not a significant part of response time.

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).