That said, I was recently looking at a bunch of reported security vulnerabilities in common applications (student final projects in my security class), and a common feature was that several of these real-world apps were doing string handling by hand. Example: say you want to do an global substitution (s/something-long/short/g), I saw this hand-coded as a for-loop with two variables, writing the shortened string on top of the long string. There was a boundary condition they missed, and thus an exploitable vulnerability.
This boils down to this deep need among C hackers to micro-optimize absolutely everything and to handle strings directly rather than through libraries. Now, if somebody could tell me how to address these dual tendencies...
The funny thing is I bet if you compared some of this micro-optimized code to code that used conventional libraries the library code would be basically the same speed or close enough to not really be a factor. There is a lot of value in knowning when to start doing memcpy (or even inline assembler) to optimize something and when to leave well enough alone. It's not always obvious when to do this with today's very smart compilers, and libraries that have been highly optimized over the years.
Previous Topic
Index
