Common vulnerabilities guide for C++ programmers
C++ is not C. That's the first advice we can give. Don't use printf, char* and friends, but instead go the C++ way. If you are forced to do things in the C way, please review the C guidelines.
Memory handling
- Don't use malloc and free. Use new and delete instead. In case of exceptions in your code, memory allocated by new will be de-allocated cleanly.
String handling
- Don't use char*, but use the std::string class.
- Don't use fscanf, but use the » operator together with std::outputstream objects.
File handling
- Don't use fopen(). Use std::ifstream for reading. For writing, it's more complicated. It requires calling the C open together with the C opening flags, and then using the boost library to get a nice stream from the file descriptor itself:
#include <boost/iostreams/device/file_descriptor.hpp> #include <boost/iostreams/stream_buffer.hpp> #include <iostream> #include <sys/stat.h> #include <sys/types.h> #include <fcntl.h> namespace io = boost::iostreams; class ex {}; int main () { int fd = open("/my/file", O_WRONLY|O_CREAT|O_EXCL, 0600); if (fd == -1) throw ex(); io::stream_buffer<io::file_descriptor_sink> fp (fd); std::ostream out(&fp); out << "Hello, world" << std::endl; return 0; }
After that, just compile it with the -lboost_iostreams flag, and that's it!