{{tag>Brouillon}}

= Notes langage C

Voir :
* [[Langage C sans compiler - Script en C]]
* [[https://www.gnu.org/prep/standards/html_node/Semantics.html|GNU Coding Standards]]
* https://developers.redhat.com/articles/2023/07/26/checking-usage-realloc-valgrind
* GCC et RedHat : https://developers.redhat.com/articles/2023/11/10/install-gcc-and-build-hello-world-application-rhel-9
* https://developers.redhat.com/articles/2024/04/03/improvements-static-analysis-gcc-14-compiler
* [[https://www.developpez.com/actu/40233/C11-la-normalisation-est-achevee-apres-douze-ans-de-travaux-multithreading-et-Unicode-au-menu/|C11 : la normalisation est achevée]]

Voir aussi : 
* ISO C99
* https://developers.redhat.com/articles/2023/07/04/developers-guide-secure-coding-fortifysource
* https://linuxfr.org/news/changement-de-licence-pour-mold-en-version-2-0

<code c>
#include <stdio.h>
#include <string.h>
#include <malloc.h>

main(int argc, char **argv)
{
    int i, size;


#define SEPARATEUR " "

    char *cmdline;

    for (i=1; i < argc; i++)
       size +=  strlen(SEPARATEUR) + strlen(argv[i]);

    cmdline = malloc(size);

    if (cmdline ) {
        memset(cmdline, 0, size);
        for (i=1; i < argc; i++) {
            strcat(cmdline, argv[i]);
            strcat(cmdline, SEPARATEUR);
        }
    }

    printf("-- %s --", cmdline);

    system(cmdline);

}
</code>


== Surcharger un symbole

Voir :
https://stackoverflow.com/questions/2146059/limiting-syscall-access-for-a-linux-application




Is the application linked statically?

If not, you may override some symbols, for example, let's redefine socket:

int socket(int domain, int type, int protocol)
{
        write(1,"Error\n",6);
        return -1;
}

Then build a shared library:

gcc -fPIC -shared test.c -o libtest.so

Let's run:

nc -l -p 6000

Ok.

And now:

$ LD_PRELOAD=./libtest.so nc -l -p 6000
Error
Can't get socket

What happens when you run with variable LD_PRELOAD=./libtest.so? It overrides with symbols defined in libtest.so over those defined in the C library.



== Sécurité

<code ->
$ man gets

...
(DEPRECATED)
Never use this function.

BUGS
       Never  use  gets().   Because  it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the
       buffer, it is extremely dangerous to use.  It has been used to break computer security.  Use fgets() instead.

       For more information, see CWE-242 (aka "Use of Inherently Dangerous Function") at http://cwe.mitre.org/data/definitions/242.html
...
</code>