[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
vasnprintf and invalid format string
|
From: |
Eric Blake |
|
Subject: |
vasnprintf and invalid format string |
|
Date: |
Tue, 24 Nov 2009 22:15:46 -0700 |
|
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On the cygwin list, it was pointed out that printf("%**s",1,"a","b")
proceeds to try to print "b" with a field width of whatever the integer
value of the pointer to "a" contained (or, in other words, each additional
* consumes another vararg position off the stack). This quickly becomes a
denial of service or even an exploitable security hole. Solaris 10 has
the same behavior.
On the same input, glibc prints "%1*s" and returns 4, rather than failing
with EINVAL. POSIX says results are unspecified if the format string is
not valid.
Is detection of invalid format strings something that we want the gnulib
replacement *printf routines to handle, and if so, what semantics should
we provide in rejecting the bad string?
- --
Don't work too hard, make some time for fun as well!
Eric Blake address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksMvYIACgkQ84KuGfSFAYCPBgCeLIDlKgXmIOhNjoozEXSA39Wk
x70AoIwKWmnakkceGYnu6VIVsBGKX5zv
=ytQC
-----END PGP SIGNATURE-----
- vasnprintf and invalid format string,
Eric Blake <=