From owner-freebsd-hackers@FreeBSD.ORG  Sun May  1 16:29:27 2011
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DCBE41065673
	for <freebsd-hackers@freebsd.org>; Sun,  1 May 2011 16:29:27 +0000 (UTC)
	(envelope-from jilles@stack.nl)
Received: from mx1.stack.nl (relay02.stack.nl [IPv6:2001:610:1108:5010::104])
	by mx1.freebsd.org (Postfix) with ESMTP id 77C918FC17
	for <freebsd-hackers@freebsd.org>; Sun,  1 May 2011 16:29:27 +0000 (UTC)
Received: from turtle.stack.nl (turtle.stack.nl [IPv6:2001:610:1108:5010::132])
	by mx1.stack.nl (Postfix) with ESMTP id 0E4A4359397;
	Sun,  1 May 2011 18:29:26 +0200 (CEST)
Received: by turtle.stack.nl (Postfix, from userid 1677)
	id EC4EB17376; Sun,  1 May 2011 18:29:25 +0200 (CEST)
Date: Sun, 1 May 2011 18:29:25 +0200
From: Jilles Tjoelker <jilles@stack.nl>
To: Martin =?iso-8859-1?Q?M=F6ller?= <moeller.akt@googlemail.com>
Message-ID: <20110501162925.GB47497@stack.nl>
References: <C9E2091B.36F%moeller.akt@googlemail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <C9E2091B.36F%moeller.akt@googlemail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: freebsd-hackers@freebsd.org
Subject: Re: [LIBC] Modfied Version of sscanf
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2011 16:29:27 -0000

On Sat, Apr 30, 2011 at 06:44:43PM +0200, Martin Möller wrote:
> This is my first email to this list, so hello to all members.
> The current version of sscanf, stops when a whitespace characters occurs in
> a string
> when the "%s" (string) type is used.

> The following code:

> char name [20], value [20];
> sscanf ("Test 2->Test 3", "%s->%s", name, value);
> printf ("%s->%s\n", name, value);

> outputs total garbage on my FreeBSD-7.0-RELEASE #0 amd64.
> Is there already a way to do this or should we release a new version of
> sscanf, e.g. called sscanfWS.

> This modified version would output: Test 2->Test 3.

I think you should use functions like memchr(), strchr() and strtok_r()
rather than sscanf().

For one, your code has undefined behaviour if the name or the value
exceed 19 bytes. If the input is untrusted, as your follow-up seems to
indicate, this undefined behaviour likely manifests in allowing an
attacker to execute code of his own choosing. Even if you avoid the
buffer overflow using a format string like "%19s->%19s" it is still not
very good as you may not get an error if the string is too long. Silent
truncation might invalidate security checks done elsewhere and can lead
to hard-to-diagnose bugs.

-- 
Jilles Tjoelker