bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: vasnprintf and invalid format string


From: Eric Blake
Subject: Re: vasnprintf and invalid format string
Date: Wed, 25 Nov 2009 06:00:04 -0700
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.23) Gecko/20090812 Thunderbird/2.0.0.23 Mnenhy/0.7.6.666

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

According to Bruno Haible on 11/25/2009 2:21 AM:
>> On the cygwin list, it was pointed out that printf("%**s",1,"a","b")
>> proceeds to try to print "b" with a field width of whatever the integer
>> value of the pointer to "a" contained (or, in other words, each additional
>> * consumes another vararg position off the stack).  This quickly becomes a
>> denial of service or even an exploitable security hole.
> 
> How can it become a security hole? Format strings come
>   1) from the program, where the programmer has coded them and where gcc
>      has checked them,
>   2) from .mo files, where the translator has coded them and where msgfmt -c
>      has checked them.

I agree that this particular problem (of an invalid format string) is
something that can be detected by gcc at compile time; the only time a
format string can be a security hole is if you use a format string based
on arbitrary user input, but that has been a known hole for years (because
of %n) and is dealt with in the same way - audit your code to prove that
all format strings are either compile-time constants, or pass through
methods which have been audited to ensure that the resulting string is a
valid format string.

So, it may be worth a mention in the docs that *printf behaves differently
on various platforms when given an invalid string (in the case of my
example string, both Solaris and glibc return success! rather than failing
with EINVAL, but with differing amounts and content of output), but that
gnulib doesn't bother with this because it is assumed a well-written
program never passes an invalid format string in the first place.

- --
Don't work too hard, make some time for fun as well!

Eric Blake             address@hidden
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Public key at home.comcast.net/~ericblake/eblake.gpg
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksNKlQACgkQ84KuGfSFAYA02ACeLUfvaqg53AK66ooBszs037YK
XpwAmQG1Qqb7CP0IcYMZx3uyek1SquoD
=nawM
-----END PGP SIGNATURE-----




reply via email to

[Prev in Thread] Current Thread [Next in Thread]