26

I quite literally do not understand any bit of this, you edited your post and I just seen it, so let me disassemble this latest nonsense.
You say that you could add random junk into a buffer and that it would take a long time to scan; how is that different from me sending 20 1024 byte packets to you as opposed to a stream of 20k bytes to you?
What exactly does it matter if I send a sql injection, (do you even know how that works), if you aren't connected to a database? Even better, if you do any packet validation at all, you can simply drop the entire chunk on the floor after the first few bytes are inspected. If you do have a database-backed service that you're providing, sql injection will get cleaned up on sanitization anyway, assuming that you're silly enough to pass your queries through from the user, so again that's not a security issue.
If I send 20k bytes of machine code (whatever that means, presumably opcodes) to you, why does it matter? Unless you're dumb enough to try to execute anything someone sends you, that won't be a problem; if you are, whether you execute 20k bytes of opcodes or 1024 bytes of opcodes, shellcode is very very small, and limiting the buffer isn't going to matter.
So simply put, if you think that limiting the buffer size keeps you from executing that scary machine code, or will somehow prevent a SQL injection, you need to reevaluate security and the design of the many apps I'm sure you're working on to showcase your talents!

You touch on another issue, which is that of performance and which I've touched on already, but which I'd like to deal with a second time.
Assuming that for whatever reason you scan the entire 20k byte buffer, that's simply a matter of roughly:
1 compare to see if the loop is ended
1 compare to see if the string does something
if so, a jump, if not a jump back to the first compare
opcodes in here, maybe a function call?
jump back to the loop
really you're looking at roughly 5 opcodes for this loop, give or take. That's 100000 opcodes executed in the event you need to scan an entire buffer. This is fast, and your computer does string comparison work all the time, so if you're worried about 20k iterations over a loop, security isn't the issue, but a poorly designed application, packet handler or anything else is.

Thumbs up +1

27 (edited by Xsense 2018-04-11 06:10:00)

defender

Thank you i appriciate all the help is welcome.
As they say its a community we can put our minds together.

sorressean
Yes this is what i ment you nailed it on the head with that post.
Just simply saying basic knowledge is needed when you dive into such a broad branch.

Ethan
As i stated before, everyone may have their own opinnion i dont mind that at all.
But it was clear you mistunderstood my post as i was pointing out to just simply study basic networking in c#.
Before grabbing a off the shelf library from someone.
Because in the end you do need to know what the code does.
And that is my oppinnion in all do respect.

Anyways,
Perhaps we should all focus on the topic poster and support him.
As its his topic and not a topic where people bash on eachother.
Whats the point of that anyways?

We should share the knowledge that we have or give pointers into the right direction.
So that the one asking for help can be on his merry way.

Regards,
XSense

Projects: Audio Sphere (3d Audio Game Engine), Luna Stories (Horror Survival Puzzle Game).
Email: crys[email protected]
Skype: XSense29
Website: www.XSense.org

Thumbs up +2

28 (edited by defender 2018-04-11 06:17:18)

Kyleman I wish I could ignore it, but he tends to turn completely normal topics into shitting on people.
I'm not going to just let him treat someone who did nothing to deserve it like that, and considering your post signature I'd think you would understand where I'm coming from on this.
If someone tells you something like, that idea is so terribly fucking stupid that if you told a real programmer that, something which I am and your not, (guy who just made a functioning game demo and engine) than they would laugh in your face, because it's just that dumb, which is essentially what I heard in post 8, than I think you would be pretty insulted and unwelcom feeling.
If not then, your the outlier here man, and congrads on having such a thick skin (truly) but your not like most people.
Xsense I agree, I wish this didn't get turned into a flamewar but I kind of expected it to happen. I suggested to the original poster that he should delete and remake this topic on Skype, so he may do that.

This... -- Is CNN'.
Well Ted, it sure looks like there's been uh, quite a bit of violence around here
"aaoh, that violence was terrible'!"
Yeah it was, pretty bad.

Thumbs up

29

@25, the reason I lash out at those who cut me down when I am wrong is not the fact that its criticism. Its not that I'm offended by it. Its the manner its delivered that I have a problem with. I don't try to deliberately fail each and every time. But here's the thing. If I act arrogant, which really is impossible to tell since this is text, and not something like a voice chat where you can here my emotion and tone, and then you cut me down and quite literally force your way down my throat, your being hypocritical by first telling me not to do x and then doing it right back at me. That's not setting examples or helping anything, that's worsening it. And that's usually the trigger of all this bullshit, because both try explaining something to the other, but both sides do it in most likely the completely wrong way, and it goes on and on like this, until someone forceably breaks the argument up. When I post, I'm obviously trying to help. Telling me what I'm doing wrong in my methods of helping, or telling me what I'm doing wrong in code samples (like the one I did in post 4, which was handwritten, by the way), is fine. Doing it in such a way as to imply that you're better than me and always will be is what sets me off. That is exactly the wrong attitude. No matter how much you dislike me, I at least expect common decency. I may not have contributed anything of my own work to this community yet, but that does not mean that I haven't coded. But I'm not going to reitterate this any more. All I'm trying to say is that yes, I expect critism. Everyone does, everyone should. Its life. But if someone is forcing the way they think someone should do something down that someone's throat, and then you go and do it to them, its not going to resolve the situation, as many a topic has proven.
Now, I shall reference my remarks in post 4 where I said a vulnerability is there if you allocate ridiculously large sizes to your arrays and then feed bytes into them. To rehash, I said: "You should never accept packets in 20000-byte chunks. That leaves so many vulnerabilities open to your system its absolutely unimaginable." While this statement may have been pushed a bit far, of which I apologize for, it was most likely correct. While a denial of service attack may be the only thing we currently may be able to think of, or to find, there are most likely many others attackers either haven't found, but we don't know about them, or we just don't know they exist at all, but they're there. In the sample application kianoosh listed, the risk was literally nil; he scans the data for a specific keyword and ignores the rest. However, I was generalizing a bit; while I wrote that, I was considering the possibility that, if he allocated 20000-byte chunks in this app, he may allocate the same, if not larger, in future apps, and wanted to prevent that, since I cannot possibly predict how he'll use that data. Off the top of my head I can think of regular expression parsers, HTTP, JSON, RPC and others (though why you'd want a remote regexp parser I have no idea, unless your doing something like lambdamoo, where regexps are builtin functions).
Now, for statement two, I complained about the imports. This was primarily from a refactorization point-of-view; I myself tend to remove unused imports, and languages like Go enforce import usage. However, my first part, about error handling, was correct, as the sample has absolutely none of which I could find.
As for my third statement, I spoke about threads and mutex. I apologize for incorrect mutex/thread locking usage; I'm kinda bad at it. smile Again, though, I was generalizing. Sorressean, however, has already informed the OP that this was unnecessary, and I shall not reiterate it. tongue
As for my recommendations, statement one was derived from my first 'issue'. Like that one, I thought the unused imports should be removed, since they only cause code clutter.
My third statement was... not very thought out. It is, sometimes, what I do, even if it is wrong, since the applications I do this kind of thing in are usually console apps that I want the error displayed, not just a full on .NET panic, of sorts. I mentioned putting try/catch in main() because I only do that in apps that have a main() (such as if I'm beginning a new project). (I remove them later... or I'll sometimes forget about them. Depends.)
My fourth recommendation was derived from my third 'issue'. That sample, as I said above, was handwritten, and so I certainly didn't expect it to be perfect. It was only showing how to use mutexes in .NET, not as a full-on example, even if I may have portrayed it as such.
Post 6 may have been a bit harsh. However, I found post 5 a bit confusing (the statement "Never use library's for networking" made me think "What? [wow]?"). Post 8 was because I read post seven, and I thought he meant communication with the networking card via something like POSIX. I, too, apologize for my rudeness in that one. Post 9 cleared up most of my confusion, though I still consider higher-level libraries much easier to use because I don't need to worry about low-level packet transmissions, though if I need to dip into the low-level system I will do so. (Boost.Asio is ridiculously hard to use, from what I've seen of it. The samples I've seen of it make me shy away from it. Maybe I'm not fully understanding it... dunno.)
I hope this explanation clears up some things. Maybe it won't, maybe it will.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

30

I tried to be nice a couple times my self, but it still kept happening, so now I don't see the point.

This... -- Is CNN'.
Well Ted, it sure looks like there's been uh, quite a bit of violence around here
"aaoh, that violence was terrible'!"
Yeah it was, pretty bad.

Thumbs up +1

31

#29:
I'm not trying to attack you here, just explain my side of things. You talk a lot about how people attacked you (I did, I'll happily admit it), but your language and your attitude causes problems. So really, here's what I'm trying to get at. None of these are supposed to be mean, just explain the issue:
1. Back to the byte arrays: I've gotten you to move off of them being a security issue, to them maybe possibly being a security issue. If you want to say that's bad practice, fine. If you want to say that there are better ways to handle it, fine. But what you and Kyle did was try to invent some security issues to back up your claims which simply are false. Maybe you didn't mean to say it like that, but again this is a point where we can moderate and just stick to simple facts, at least facts that you know.
2. You say "You use threads and no mutexes."
If you're unfamiliar or bad at using mutexes and multithreading (and honestly most people struggle with it from time to time), look at this from a high level view, determine if you know enough to state that someone "should" be doing something as that is stating a fact. If you don't understand what a method does (like join, for example), just go look it up. The more research you do the better educated you will be, the better help you'll provide the OP of *any* question and the better you will come out in the end.
3. The try-catch statements: if we had simply had to discuss this, I would have been fine explaining why this creates issues and what that means for you as a dev and debugging. I'm happy to explain smaller thing s like this, and I really hope that I did and helped push you away from doing the same thing. Bad habbits can be broken with good code practices.
4. Post 6: you talk a lot here about people attacking you, then just jump and say your logic is flawed when he specifically referenced using libraries.
5. Post 6 has these quotes:
"That has to be the worst idea I've ever seen" "If you were to walk up to a professional programmer or computer scientist
and tell them this idea, they'd laugh in your face."
What I'm trying to point out here, is that by saying things like this, they are very adversarial and put you on the attack. If you don't want people like myself to be combative with posts, you need to also consider not doing the same thing, or trying to clarify what #5 was saying before just simply jumping to attack them.

End result, like I said I understand everyone is learning, and I understand you want to help. There are ways to go about it while helping yourself. If you really want to help, consider phrasing your information in a different way, because the way it comes across (even if only in text) is that you are superior or think yourself superior to others; when you have so much misinformation in posts while also attacking people, that also creates frustration for all involved. I personally don't care what you are, have, have not coded, but I care about the content of your knowledge and how you convey it, because that knowledge can either hurt someone and send them down the wrong path trying to wrongly use mutexes, give them the idea that large buffers are somehow a security concern because someone could flood them, etc; on the other hand, you could spend some time to learn, research, or just provide what knowledge you know for sure and help the OP and send them down the right path. Ultimately the choice is yours, but the latter would be so much more helpful for all involved.

Thumbs up

32

@29 this is essentially the message I get when reading about 95% of your posts

What the fuck is wrong with you, you're doing it wrong, how could you be so god damned stupid!

People reply to you with criticisms because you are the one who starts it by belittling others, which seems to be a common motif with you. SO, we have someone trying to provide help, and you jump down their throats, that's what's bullshit here. The way you worded that post, and I'm on the second page now so not scrolling back to check it, but the first post by you in this topic, is completely unacceptable. To be honest, I'm not sure why the mods don't deal with you, I've seen them hand warnings out for far less. I've reported one of your posts, I can tell you that, but I think it is because they don't go in the developer's room that often.
So, you feeling like you need to lash out at people for calling you out on your bullshit is really due to you starting the bullshit by treating someone who didn't deserve it badly.

I know a lot of programmers get into heated debates, I've seen it, I'm not a developer, I just cobble stuff together from time to time. A lot of programmers have this god complex too, certainly not all, as demonstrated by good advice and so forth given in the topics here and other places on the net. I don't think its too hard to disagree without coming off like a douche bag. In fact, a debate and an argument are two different things. You can debate points with someone while maintaining respect for them. This is something that you've never demonstrated the ability to do.

I also know the challenge of not shoving your opinions down someone's throat, because I have the same thing and I have to work at not doing it. I don't always succeed either, also, sometimes I may be screaming in the back of my head but I don't say what I think, which is also hard for me, but there's just certain things you need to do if you want to socialize, or at least contribute to social society. But, I'm probably wasting my time, I doubt any of this will have any effect so, I'll end here.

I'm a cat! What's mine is mine, and what's yours is mine to :P XD

Thumbs up +1

33

@sorressean, thank you for that. I'm bad with threads myself; I find them hard to work with, but I do understand how powerful an application can be in multithreaded mode if done correctly (games are an excellent example of that). I'm still learning how to safely use mutexes, too. Right now I have an idea of what I want to do, but am struggling on a good way to implement it. smile I'll probably create either a new topic, or PM the idea to you. Maybe I'm struggling because I don't have some kind of design spec... then again, it could be all the distraction of college and homework and things too.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

34

@#33:
Honestly games are a really bad place for multithreading generally.
I always design for single threaded and then add a second thread or multiple threads in when needed if it's actually needed. If your logic is decoupled like it should be, this is a simple solution because you can add locks in the methods that need them.
Many times people will think that something which is IO bound should need threads, but creating more threads creates more contention on IO and thus makes your application even more IO bound.
So ask yourself is this something that is CPU bound, can it be performed in parallel, then is this something I should make multithreaded.
If the answers are yes, go for it, otherwise start looking for ways to clean up your performance bottlenecks. Threads are powerful, but generally used and abused in ways that don't make sense.
HTH,

Thumbs up

35

They can be very easy to abuse, yes. Then again, anything can be abused. Right now I'm trying to learn SQL -- I'm very, very bad at it. I can create databases, but when it comes to full-on databases -- inserting and updating things -- I get lost. So I'm trying to at least learn sqlite as a starting point.

"On two occasions I have been asked [by members of Parliament!]: 'Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out ?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question."    — Charles Babbage.

Thumbs up

36

Hi there. I guess there's no re posting needed because i got the libraries i want as well as recommendations. Xsens's game engine, the library that sorressean interdused and some of the recommendations that you did helps a lot. Thanks for that

how you act with others, They act with you in the same way.

Thumbs up