Date: Fri, 8 Sep 2000 12:57:08 -0400 From: Garance A Drosihn <drosih@rpi.edu> To: "John Doh!" <johndoh_@hotmail.com>, security@FreeBSD.ORG, hackers@FreeBSD.ORG Subject: Re: How to stop problems from printf Message-ID: <v04210103b5dec9274caa@[128.113.24.47]> In-Reply-To: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com> References: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 6:27 PM -0400 9/7/00, John Doh! wrote:
>Hello to you am I C coder who to wish write programs we cannot
>exploit via code such as below.
>
>>
>> main(int argc, char **argv)
>> {
>> if(argc > 1) {
>> printf(gettext("usage: %s filename\n"),argv[0]);
>> exit(0);
>> }
>> printf("normal execution proceeds...\n");
>> }
>
>Issue is must be getting format string from "untrusted" place, but want
>to limit substitution of %... to the substitution of say in example the
>argv[0], but to not do others so that say given "usage: %s filename %p"
>%p not interpret but to be print instead as literally so we get output
>of (saying to be argv[0] as test just for example)
>usage: test filename %p
Since gettext is getting a string from an untrusted place, you should
treat it as you would treat a string being typed in from a user.
For the example you give, you know that you are expecting ONE %s
argument, and that ONE %s is the only substitution you will allow.
So, have gettext return it's value into some string. Then, YOU search
that string for '%s'. then you do a printf of:
printf("%s%s%s", textBefore%s, argv[0], textAfter%s);
For the given example, this is pretty trivial. If you have several
different values you will substitute in the string returned by
gettext, then it gets a bit more cumbersome. My suggestion is a
fine solution for your example (IMO :-), but if you did have more
substitutions then I might try some alternate strategy.
One has to be careful about buffer overflows in that temp string,
of course.
---
Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu
Senior Systems Programmer or drosih@rpi.edu
Rensselaer Polytechnic Institute
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04210103b5dec9274caa>