diff options
| author | Melody Horn <melody@boringcactus.com> | 2020-10-20 10:25:25 -0600 |
|---|---|---|
| committer | Melody Horn <melody@boringcactus.com> | 2020-10-20 10:25:25 -0600 |
| commit | ce992c815f05c8487850872bfe44999a08b1f340 (patch) | |
| tree | 136b1e9c851db376d526ee00bebb1dea22f38db1 /safety.md | |
| parent | 8e9394ad85bc921e0658fd2758f5717540101627 (diff) | |
| download | spec-ce992c815f05c8487850872bfe44999a08b1f340.tar.gz spec-ce992c815f05c8487850872bfe44999a08b1f340.zip | |
add more details
Diffstat (limited to 'safety.md')
| -rw-r--r-- | safety.md | 24 |
1 files changed, 23 insertions, 1 deletions
@@ -4,7 +4,29 @@ Each item in Wikipedia's [list of types of memory errors](https://en.wikipedia.o ## Buffer overflow
-bounds checking based on uhhhh something
+Crowbar addresses buffer overflow with bounds checking.
+In C, the type `char *` can point to a single character, a null-terminated string of unknown length, a buffer of fixed size, or nothing at all.
+In Crowbar, the type `char *` can only point to either a single character or nothing at all.
+If a buffer is declared as `char[50] name;` then it has type `char[50]`, and can be implicitly converted to `(char[50])*`, a pointer-to-50-chars.
+If memory is dynamically allocated, it works as follows:
+
+```crowbar
+void process(size_t bufferSize, char[bufferSize] buffer) {
+ // do some work with buffer, given that we know its size
+}
+
+int main(int argc, (char[1024?])[argc] argv) {
+ size_t bufferSize = getBufferSize();
+ (char[bufferSize])* buffer = malloc(bufferSize);
+ process(bufferSize, buffer);
+ free(buffer);
+}
+```
+
+Note that `malloc` as part of the Crowbar standard library has signature `(char[size])* malloc(size_t size);` and so no cast is needed above.
+Note as well that the type of `argv` is complicated.
+This is because the elements of `argv` have unconstrained size.
+TODO figure out if that's the right way to handle that
## Buffer over-read
|