From owner-freebsd-hackers Thu Sep 7 21: 3:27 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from smtp-out1.bellatlantic.net (smtp-out1.bellatlantic.net [199.45.39.156]) by hub.freebsd.org (Postfix) with ESMTP id 0063C37B423; Thu, 7 Sep 2000 21:03:22 -0700 (PDT) Received: from smartsoft.cc (client-209-158-91-204.bellatlantic.net [209.158.91.204]) by smtp-out1.bellatlantic.net (8.9.1/8.9.1) with ESMTP id AAA05747; Fri, 8 Sep 2000 00:03:11 -0400 (EDT) Message-ID: <39B864D5.5BCC24E7@smartsoft.cc> Date: Fri, 08 Sep 2000 00:02:29 -0400 From: Jan Knepper Organization: Smartsoft, LLC X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "John Doh!" Cc: bright@wintelcom.net, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I don't know what you are doing with the 'gettext' in the call to 'printf'. However for printf usage I would always limit the size of a string being displayed with "%s", thus as "%-.80s" for instance. I would *never* do: printf ( argv [ 0 ] ); Since argv [ 0 ] indeed is untrusted. However: printf ( "%s", argv [ 0 ] ); already is a lot safer. You should not have to worry about any content of argv [ 0 ] other than the length if that ever would be an issue. The content of argv [ 0 ] in this case is not being parsed as a C-format string. However for just displaying strings I would use puts or fputs. I mean why call a heavy duty function as printf when the job can be very easily done with a puts/fputs. HTH Jan "John Doh!" wrote: > >From: Alfred Perlstein > >To: John Doh! > >CC: security@FreeBSD.ORG, hackers@FreeBSD.ORG > >Subject: Re: How to stop problems from printf > >Date: Thu, 7 Sep 2000 19:33:14 -0700 > > > >* John Doh! [000907 19:28] wrote: > > > Hello to you am I C coder who to wish write programs we cannot exploit > >via > > > code such as below. > > > > > > > > > > > main(int argc, char **argv) > > > > { > > > > if(argc > 1) { > > > > printf(gettext("usage: %s filename\n"),argv[0]); > > > > exit(0); > > > > } > > > > printf("normal execution proceeds...\n"); > > > > } > > > > > > Issue is must be getting format string from "untrusted" place, but want > >to > > > limit substitution of %... to the substitution of say in example the > > > argv[0], but to not do others so that say given "usage: %s filename %p" > >%p > > > not interpret but to be print instead as literally so we get output of > > > (saying to be argv[0] as test just for example) usage: test filename %p > > > > > > any hints you have I am very greatful for. > > > >try "%%p" > > > >-Alfred > That is what I would do if I could always control string, but point is input > string is not trusted...how to either validate or else to have printf limit > to its arguments. Any ideas? > > _________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. > > Share information about yourself, create your own public profile at > http://profiles.msn.com. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jan Knepper Smartsoft, LLC 88 Petersburg Road Petersburg, NJ 08270 U.S.A. http://www.smartsoft.cc/ http://www.mp3.com/pianoprincess Phone : 609-628-4260 FAX : 609-628-1267 FAX : 303-845-6415 http://www.fax4free.com/ Phone : 020-873-3837 http://www.xoip.nl/ (Dutch) FAX : 020-873-3837 http://www.xoip.nl/ (Dutch) In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message