[Info-vax] Any stronger versions of the LMF planned ?, was: Re: LMF Licence Generator Code

[Arne Vajhøj]

On 8/20/2021 2:41 AM, Jan-Erik Söderholm wrote:
> Den 2021-08-20 kl. 00:33, skrev Lawrence D’Oliveiro:
>> On Thursday, August 19, 2021 at 6:49:24 AM UTC+12, Arne Vajhøj wrote:
>>> The COBOL code is more lines. For one reason: everything need to be
>>> declared with a type. You may not like that, but I think that the
>>> COBOL programmers like that.
>>
>> And it’s worse than that. COBOL’s fixed-length strings open up a whole 
>> new potential avenue of vulnerabilities, in the form of 
>> buffer-overflow attacks.
> 
> You clearly doesn't have a clue. Cobols fixed lenght strings *prevents*
> buffer overflow issues such as can bee seen in other languages that has
> null-terminated "strings".

I will claim that the determining factor is neither fixed length or
null termination - the determining factor is whether length are
always present together with the string.

In VMS calling standard: that strings are passed by descriptor
instead of by reference.

Fortran, Cobol, Pascal fixed length strings are passed
by descriptor. The language RTL can handle things.

Pascal, Basic variable length strings are passed by descriptor.
The language RTL can handle things.

C "strings" (char array using null termination) are passed by
reference. And unless length is passed as a separate argument
and programmer explicit use it properly then bad things can happen,

So there are no difference in definitions for normal code.

The difference only becomes relevant when changing the
default pass by descriptor to pass by reference. Then
a non-C non-null-terminated string becomes dangerous
as well.

Arne