Date: Sun, 1 May 2011 18:29:25 +0200 From: Jilles Tjoelker <jilles@stack.nl> To: Martin =?iso-8859-1?Q?M=F6ller?= <moeller.akt@googlemail.com> Cc: freebsd-hackers@freebsd.org Subject: Re: [LIBC] Modfied Version of sscanf Message-ID: <20110501162925.GB47497@stack.nl> In-Reply-To: <C9E2091B.36F%moeller.akt@googlemail.com> References: <C9E2091B.36F%moeller.akt@googlemail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Apr 30, 2011 at 06:44:43PM +0200, Martin Möller wrote:
> This is my first email to this list, so hello to all members.
> The current version of sscanf, stops when a whitespace characters occurs in
> a string
> when the "%s" (string) type is used.
> The following code:
> char name [20], value [20];
> sscanf ("Test 2->Test 3", "%s->%s", name, value);
> printf ("%s->%s\n", name, value);
> outputs total garbage on my FreeBSD-7.0-RELEASE #0 amd64.
> Is there already a way to do this or should we release a new version of
> sscanf, e.g. called sscanfWS.
> This modified version would output: Test 2->Test 3.
I think you should use functions like memchr(), strchr() and strtok_r()
rather than sscanf().
For one, your code has undefined behaviour if the name or the value
exceed 19 bytes. If the input is untrusted, as your follow-up seems to
indicate, this undefined behaviour likely manifests in allowing an
attacker to execute code of his own choosing. Even if you avoid the
buffer overflow using a format string like "%19s->%19s" it is still not
very good as you may not get an error if the string is too long. Silent
truncation might invalidate security checks done elsewhere and can lead
to hard-to-diagnose bugs.
--
Jilles Tjoelker
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110501162925.GB47497>