--- Paul Gilmartin <[EMAIL PROTECTED]> wrote: From: Paul Gilmartin <[EMAIL PROTECTED]> Date: Thu, 12 May 2005 16:36:33 -0600 To: IBM-MAIN@BAMA.UA.EDU Subject: Re: PARM= > I strongly disagree with the followup that says a new keyword (e.g. "PARMX") is needed to force an "overt change to the JCL" when using a longer PARM string. As it stands an "overt change" is required, viz. adding characters to the current short PARM string. Most of the concerns about buffer overflows, etc. are groundless: nowadays any program can be invoked via ATTACH, CALL, LINK, XCTL macros; from Rexx ATTCHMVS, likely from various other languages with a PARM string >100 characters. No one suffers ill effects. If protection is necessary, provide an attribute on the load module, set by the Binder, indicating that the program can accept a long PARM. Tolerant legacy programs can simply be relinked to set the attribute; the macros above can test the flag and fail if not set and the PARM exceeds 100 characters. BUt again, why bother. The one valid buffer overflow concern, IMO, is for APF authorized programs, which can not now be called from unauthorized callers with ATTACH, etc. Extending the PARM in JCL might provide a mechanism for ordinary, unauthorized users to exploit buffer overflows. Perhaps there should be a restriction that only AC=0 programs can be attached by the initiator with PARM>100 characters. Or, if the long PARM attribute is implemented, those AC=1 programs tolerant of long PARMs can be relinked to set the attribute. The limit should be not 32,767 characters, but 65,535; the number that can be represented in 16 bits. Why waste a bit? Glad to hear of this, at last, gil -- StorageTek INFORMATION made POWERFUL
Permit me to throw my full support behing Gil's remarks. In my view this is the only way to go. Backward compatibility is not an issue. An older program, recompiled, will simply take the length of parm it expects, up to 100 bytes. Adrian Auer-Hudson Webmaster, <http://www.losangelesmetro.net>. Supporter of "Expo Light Rail - Enabler for the Digital Coast" <http://www.friends4expo.org>. --------------------------------------------------------------- ------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html