From ce992c815f05c8487850872bfe44999a08b1f340 Mon Sep 17 00:00:00 2001 From: Melody Horn Date: Tue, 20 Oct 2020 10:25:25 -0600 Subject: add more details --- safety.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) (limited to 'safety.md') diff --git a/safety.md b/safety.md index d353227..6550492 100644 --- a/safety.md +++ b/safety.md @@ -4,7 +4,29 @@ Each item in Wikipedia's [list of types of memory errors](https://en.wikipedia.o ## Buffer overflow -bounds checking based on uhhhh something +Crowbar addresses buffer overflow with bounds checking. +In C, the type `char *` can point to a single character, a null-terminated string of unknown length, a buffer of fixed size, or nothing at all. +In Crowbar, the type `char *` can only point to either a single character or nothing at all. +If a buffer is declared as `char[50] name;` then it has type `char[50]`, and can be implicitly converted to `(char[50])*`, a pointer-to-50-chars. +If memory is dynamically allocated, it works as follows: + +```crowbar +void process(size_t bufferSize, char[bufferSize] buffer) { + // do some work with buffer, given that we know its size +} + +int main(int argc, (char[1024?])[argc] argv) { + size_t bufferSize = getBufferSize(); + (char[bufferSize])* buffer = malloc(bufferSize); + process(bufferSize, buffer); + free(buffer); +} +``` + +Note that `malloc` as part of the Crowbar standard library has signature `(char[size])* malloc(size_t size);` and so no cast is needed above. +Note as well that the type of `argv` is complicated. +This is because the elements of `argv` have unconstrained size. +TODO figure out if that's the right way to handle that ## Buffer over-read -- cgit v1.2.3