问题描述
此引言来自GNU手册
像往常一样,我花了很多时间才问一个问题,五年前我确实在Stack Overflow上找到了一个类似的问题:为什么不赞成使用fgets函数?
As I usually do, I spent time searching before asking a question, and I did find a similar question on Stack Overflow from five years ago:Why is the fgets function deprecated?
尽管GNU建议在 fgets 上使用 getline ,但我注意到 stdio.h 中的 getline 可以使用任意大小的线.它会根据需要调用 realloc .如果我尝试将大小设置为10个字符:
Although GNU recommends getline over fgets, I noticed that getline in stdio.h takes any size line. It calls realloc as needed. If I try to set the size to 10 char:
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *buffer;
size_t bufsize = 10;
size_t characters;
buffer = (char *)malloc(bufsize * sizeof(char));
if( buffer == NULL)
{
perror("Unable to allocate buffer");
exit(1);
}
printf("Type something: ");
characters = getline(&buffer,&bufsize,stdin);
printf("%zu characters were read.\n",characters);
printf("You typed: '%s'\n",buffer);
return(0);
}
在上面的代码中,键入任意大小的字符串,超过10个字符,getline将读取该字符串并为您提供正确的输出.
In the code above, type any size string, over 10 char, and getline will read it and give you the right output.
就像我在上面的代码中所做的那样,甚至不需要 malloc - getline 帮您完成.我将缓冲区的大小设置为0,并且 getline 将根据需要为我 malloc 和 realloc .
There is no need to even malloc, as I did in the code above — getline does it for you. I'm setting the buffer to size 0, and getline will malloc and realloc for me as needed.
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *buffer;
size_t bufsize = 0;
size_t characters;
printf("Type something: ");
characters = getline(&buffer,&bufsize,stdin);
printf("%zu characters were read.\n",characters);
printf("You typed: '%s'\n",buffer);
return(0);
}
如果运行此代码,则可以再次输入任意大小的字符串,并且该字符串有效.即使我将缓冲区大小设置为0.
If you run this code, again you can enter any size string, and it works. Even though I set the buffer size to 0.
我一直在研究CERT指南中的安全编码做法 www.securecoding.cert.org
I've been looking at safe coding practices from CERT guidelines www.securecoding.cert.org
我当时正在考虑从 fgets 切换到 getline ,但是我遇到的问题是我无法弄清楚如何限制 getline .我认为恶意攻击者可以使用循环来发送无限量的数据,并用尽堆中可用的所有ram?
I was thinking of switching from fgets to getline, but the issue I am having, is I cannot figure out how to limit the input in getline. I think a malicious attacker can use a loop to send an unlimited amount of data, and use up all the ram available in the heap?
是否有一种方法可以限制 getline 使用的输入大小,或者 getline 在函数中有一定限制?
Is there a way of limiting the input size that getline uses or does getline have some limit within the function?
推荐答案
使用fget不一定有问题,所有gnu手册都告诉您,如果文件中有一个'\ 0'字节,那么将在您的缓冲区.您将无法判断缓冲区中的null分隔符是文件的实际结尾,还是文件内的null.这意味着您可以将200个字符的缓冲区读取一个100个字符的文件,其中将包含50个字符的c字符串.
Using fgets is not necessarily problematic, all the gnu manual tells you is that if there's a '\0'-Byte in the file, so will there be in your buffer. You won't be able to tell if the null-delimiter in your buffer is the actual end of the file or just a null within the file. This means you can read a 100 char file into a 200 char buffer and it will contain a 50 char c-string.
stdio.h阅读行实际上似乎没有任何合理的长度限制,因此fread可能是可行的选择.
The stdio.h readline in fact doesn't appear to have any sane length limitation so fread might be viable alternative.
取消链接C getline 和C ++ std :: getline() ,C ++ std :: istream :: getline()仅限于 count 个字符
Unlinke C getline and C++ std::getline(), C++ std::istream::getline() is limited to count characters
这篇关于getline如何使用fgets限制输入量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!