Home » Resources » Rants
Sloppy is Sloppy
Week of August 19, 2001
This is getting beyond bizarre -- there's got to be a way that they
can check for buffer overflows before they release these things, no?
How do you check?
And why doesn't Apache have these gaping holes? Is it the
open-source development model that makes Apache more secure?
Less code? An older program so most of the bugs are gone?
Or what?
I honestly don't think MS programmers are idiots, so WTF is the
problem here?
Are people just picking over IIS and finding every flaw? But they
must pick over Apache too, no?
> there's got to be a way that they can check for buffer overflows
> before they release these things, no? How do you check?
I'm not sure you can. The programming principle is easy, and it's
written all over the Windows API as it already is. Let me give you
an example. Say we're working with an ordinary application and we
know the user has inputted something like a URL into a combobox such
as your edit field in your location bar in Internet Explorer. That's
called a combobox, even though Microsoft has screwed it up totally.
The API you call to get the URL or whatever it is goes like this:
SendMessage(hWnd, WM_GETTEXT, cchTextMax, (LPARAM) lpszText);
- The hWnd is the identifying 'window handle' of the combobox.
- The WM_GETTEXT is the message itself - 'gimme the text'.
- The lpszText is a pointer to YOUR buffer where the text goes.
But the most important of all is cchTextMax - this is the SIZE of
your buffer. You tell the combobox how much buffer you have. By
knowing this, the combobox cannot cause a buffer overflow.
This principle is all over programming - at least in the Windows
environment. Another example:
GetDlgItemText(hWnd, nID, lpString, nMaxCount);
You ask a window to get text from, for example, a combobox.
- hWnd is again the identifier of the window.
- nID is the identifier of the combobox within the window.
- lpString is the pointer to YOUR buffer, where the text goes.
And - AGAIN - nMaxCount is how much buffer you have, so the function
does not overflow your buffer.
It's written all over the API.
Even in cases where you cannot know beforehand how big a buffer
needs to be, you can always find out how much space to allocate.
Suppose you do not want a static allocation sitting around to handle
a combobox URL of up to 30,000 bytes. Piece of cake. First you call
the combobox and ask it: 'Exactly how much text do you have anyway?'
SendMessage(hWnd, WM_GETTEXTLENGTH...);
Then you know, then you allocate enough space, then you get the
buffer, then you don't have an overflow.
> why doesn't Apache have these gaping holes?
Precisely.
> I honestly don't think MS programmers are idiots
You are very kind, but this is where you are wrong, darlin'. Look
closer at the US IT labour market. All these half-green cards. Look
at how ppl work in Redmond - how Steve Ballmer treats them.
MS does not want ppl with prior experience. They can't be
brainwashed by Ballmer then.
MS has never had 'names'. Cutler was a name. Look at how FEW bugs
turned up in Cutler's NT. (Please realise that IIS is NOT part of
Cutler's NT.)
They are every bit as shitty programmers as you suspect, darlin',
and that is the reason. They really are. I have worked with them and
dealt with them, and I tell you, they really are that shitty - in
fact, they're even worse.
When ppl such as myself say MS is the software equivalent of
McDonalds, we're not just trying to be cute. They truly are the
equivalent. You no doubt are familiar with Paul Bocuse, the founder
of the nouvelle cuisine. He has a fine restaurant in Lyon. Now
imagine you took kitchen crew from a McDonalds restaurant and put
them to work in Paul's restaurant. What would you get?
You'd get a lot of buffer overflows is what.
One final comment and I will let you go.
My company has been perhaps the chief antagonist against bloat in
the PC commercial software industry. But we have also been one of
the chief antagonists against bugs in MS software, as evidenced by
ILOVEYOU, SirCam, and Code Red. The reason?
'Sloppy is sloppy.'
Bloat means you're dealing with sloppy programmers. The kind who
work the McDonalds kitchen floor and drop hamburger patties all over
the place. The kind who give you a hamburger where the mustard and
ketchup are smeared all over the bun.
Bugs means you're dealing with sloppy programmers too. It's the same
thing. You ask for a hamburger without pickle and you get it anyway.
You get TOO MUCH onions. You get a root beer when you ordered a Diet
Coke, and the lid falls off because they didn't put it on right. Or
they hand you a bag with the top all crunched instead of folded
neatly, or they put the drinks in the same bag as your burgers and
your burgers get all wet.
It takes talent to be so dumb, it always has and it always will.
It takes talent to be a sloppy programmer, but in the PC software
industry they're all over the place. The stories about major
bloopers are legendary and legion. How about Corel Draw 4, which was
so bugged they withdrew it and later reintroduced it and finally
denied ever releasing the bugged version in the first place?
How about the whole 'beta campaign' thing we have today, with our
'GOLD' (sic) releases, our 'Release Candidates', etc.
How can programmers release code to ANYONE if they don't check it
out first?
How can programmers write bugged, bloated and above all SLOPPY code
in the first place?
Good programmers don't do this, darlin'. They never have and they
never will.
|