[CSS_ACM_General_List] a question

John Kristoff jtk at depaul.edu
Tue May 24 13:29:36 CDT 2011


On Tue, May 24, 2011 at 11:54:29AM -0500, Sean Neilan wrote:
> What happens in Python that generally doesn't happen in a server in C to
> prevent buffer overflows? Why should Python have an advantage over the
> language it was written in?

Python and other languages like it generally make it much harder for
you to mess up in this way.  In C, your variables, most notoriously
strings, require you to allocate and properly use the memory set aside
for them.  For instance,

  char foo[80];

Sets up 80 bytes for a string named 'foo'.  What happens when you
try to put 81 bytes into that variable?  Well, if you code safely
that won't happen, but say you did something like this:

  gets(foo);

It is trivial to give more than 80 bytes via gets and, voila, buffer
overflow.

In Python, and others, memory is managed automatically for you as
needed.  In Python, you don't even need to allocate memory for foo.
It could be a string of arbritrary size, Python will figure out and
handle all the memory management for you.  Even if foo changes
drastically throughout your running program, it's not something you
have to manage directly.  Memory management is all handled under the 
covers for you.  I don't know Python well, but I imagine under the
covers is essentially mallocs and frees that do this for you.

Of course, you might be able to stuff foo full of data exceeding the
resources of the running system, but that is a slightly separate issue.

Note, even with Python's memory management doing all the work for
you, you may not entirely be rid of buffer overflows if the underlying
language implementation has a bug.  For example:

  <http://www.securityfocus.com/bid/30491>

John


More information about the CSS_ACM_General_List mailing list