Wikipedia:Peer review/Buffer overflow/archive1

Buffer overflow
This page has been stable for a long time now. As far as I can see it fulfills all the FA Criteria and is technically accurate. Any comments? Cheers, Tompsci 12:59, 23 April 2007 (UTC)

char buffer[8]; strcpy(buffer, "excessive");
 * It could use a short blurb about how buffer overflows have been dealt with throughout the history of computing, perhaps with an example of the very first recorded buffer overflow, and the names of computer pioneers who first began designing systems that dealt with stack errors, etc. Just a thought. The article is EXTREMELY well written, btw. Matt Brennen 01:00, 24 April 2007 (UTC)
 * Somewhat subjective perhaps, but I think the technical description is too sparse and technical. It could do with twice as much prose and no C at all (certainly not two blocks of it). IMO the diagrams would be better as larger, clearer, annotated images rather than tables. Also seems like there are too many short sections and one- or two-sentence paragraphs. NicM 12:18, 24 April 2007 (UTC).
 * Perhaps merge the exploitation and history of exploitation sections into one section of 3-4 hefty paragraphs, trying to link the two together if possible. Is the first buffer overflow a good example that could be covered to explain stack or heap exploit? NicM 12:24, 24 April 2007 (UTC).
 * I agree on the diagrams, these could be improved. I think the article is concise and accurate as best as I can tell, can you give an example? Is it that you don't think the prose flows well? I disagree about the C, C and its variants are the languages most affected by the problem, so I think it makes practical sense to use it in the article. Cheers Tompsci 17:14, 24 April 2007 (UTC)
 * I know that C and variants are most affected, and they should be mentioned, but I think two blocks of C code don't add anything to the article&mdash;they are confusing for the unfamiliar and there is plenty of commentary out there on C string problems, I'm not sure we need to concentrate on technical details here or give code examples, how about covering C in relation to what others say about it? I know the OpenBSD guys, Ulrich Drepper and various other people have all given their opinions on safe string handling in C. Even if a technical discussion must stay, I certainly think the corrected example could go (it isn't our job to teach people how to write correct code, just to explain what a buffer overflow is) and the first example doesn't need to be a complete program and could be radically trimmed. Using argv is not very useful for non-C programmers either. It could just be something like:
 * Which has the advantages of being concise, and of tying into the example in the first section. Maybe this is too simple and a strncpy example would be more suitable, but in any case a code excerpt would be much better than a complete program.
 * The prose itself is okay, but IMO it is broken up into too many small sentences and small sections. The problem is more that it seems as if the entry level in this article is very steep, the language is technical, the flow of concepts seems to move very quickly. The first two sections at least read much more like a textbook than an encylopedia article. I'm not really sure if this is fixable, buffer overflows are a technical concept that rely on a lot of other technical terms to be explained :-(. NicM 08:25, 25 April 2007 (UTC).
 * Minor things: there are three external links (the "Arri Buffer" one seems to be broken from here) that would be better as notes, the notes could be formatted better, preferably in a standard format (cite web?) and including better titles and access dates. The section would be better titles "Notes and references" IMO. Why three safe library examples that seem to be focused on *nix and none that even mention Windows? Are these really the three most commonly used, what about glib? NicM 08:53, 25 April 2007 (UTC).
 * I'll try to get round to making the minor fixes at some point and I'll also try and make the prose flow a little more, make it less dense. But I think the technical nature may be unavoidable. -- Tompsci 00:01, 2 May 2007 (UTC)


 * Please see automated peer review suggestions here. Thanks, Ruhrfisch 02:40, 6 May 2007 (UTC)