From owner-freebsd-security  Thu Apr 19 13:43: 0 2001
Delivered-To: freebsd-security@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP id 9959A37B440
	for <security@FreeBSD.ORG>; Thu, 19 Apr 2001 13:42:54 -0700 (PDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA40625;
	Thu, 19 Apr 2001 16:42:40 -0400 (EDT)
	(envelope-from wollman)
Date: Thu, 19 Apr 2001 16:42:40 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200104192042.QAA40625@khavrinen.lcs.mit.edu>
To: "D. K." <dk@homepage.ru>
Cc: security@FreeBSD.ORG
Subject: FreeBSD grow bug
In-Reply-To: <3ADF4DD0.17AB0F64@homepage.ru>
References: <3ADF4DD0.17AB0F64@homepage.ru>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

<<On Fri, 20 Apr 2001 00:42:56 +0400, "D. K." <dk@homepage.ru> said:

> int main(int argc, char *argv) {
>     printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7);
>     printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8);
>     printf("no grow bug\n");
>     return 0;
> }

This code is erroneous.  If the format string does not reference all
positional arguments up to and including the numerically greatest one
named, the result of *printf() is undefined.  This is not a security
matter; replies to <freebsd-standards@bostonradio.org>, please.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message