[Info-vax] Any stronger versions of the LMF planned ?, was: Re: LMF Licence Generator Code

[Jan-Erik Söderholm]

Den 2021-08-20 kl. 15:20, skrev Arne Vajhøj:
> On 8/20/2021 2:41 AM, Jan-Erik Söderholm wrote:
>> Den 2021-08-20 kl. 00:33, skrev Lawrence D’Oliveiro:
>>> On Thursday, August 19, 2021 at 6:49:24 AM UTC+12, Arne Vajhøj wrote:
>>>> The COBOL code is more lines. For one reason: everything need to be
>>>> declared with a type. You may not like that, but I think that the
>>>> COBOL programmers like that.
>>>
>>> And it’s worse than that. COBOL’s fixed-length strings open up a whole 
>>> new potential avenue of vulnerabilities, in the form of buffer-overflow 
>>> attacks.
>>
>> You clearly doesn't have a clue. Cobols fixed lenght strings *prevents*
>> buffer overflow issues such as can bee seen in other languages that has
>> null-terminated "strings".
> 
> I will claim that the determining factor is neither fixed length or
> null termination - the determining factor is whether length are
> always present together with the string.
> 
> In VMS calling standard: that strings are passed by descriptor
> instead of by reference.
> 
> Fortran, Cobol, Pascal fixed length strings are passed
> by descriptor. The language RTL can handle things.
> 
> Pascal, Basic variable length strings are passed by descriptor.
> The language RTL can handle things.
> 
> C "strings" (char array using null termination) are passed by
> reference. And unless length is passed as a separate argument
> and programmer explicit use it properly then bad things can happen,
> 
> So there are no difference in definitions for normal code.
> 
> The difference only becomes relevant when changing the
> default pass by descriptor to pass by reference. Then
> a non-C non-null-terminated string becomes dangerous
> as well.
> 
> Arne
> 
> 


Still, it is very hard to "overwrite" a PIC X(nnn) variable using
pure Cobol code.