Date: Mon, 02 Apr 2001 10:48:40 +0100 From: Mike Bristow <mike@urgle.com> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/26286: format string warnings in man pages. Message-ID: <E14k0wy-0006UD-00@lindt.urgle.com>
next in thread | raw e-mail | index | archive | help
>Number: 26286 >Category: docs >Synopsis: *printf(3) etc should gain format string warnings >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon Apr 02 02:50:00 PDT 2001 >Closed-Date: >Last-Modified: >Originator: Mike Bristow >Release: FreeBSD 4.3-BETA i386 >Organization: >Environment: RELENG_4 (sadly, I don't have a -current box atm) >Description: Man pages for stdarg(3), err(3), setproctitle(3), syslog(3), printf(3), gain a warning that missing arguments, or those of an unexpected type, may cause random errors and/or a security risk. >How-To-Repeat: $ man 3 printf >Fix: This patch (should) apply to a -stable tree, I don't have a -current box at the moment :( Index: share/man/man3/stdarg.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/share/man/man3/stdarg.3,v retrieving revision 1.4.2.2 diff -u -r1.4.2.2 stdarg.3 --- share/man/man3/stdarg.3 2001/03/06 19:08:09 1.4.2.2 +++ share/man/man3/stdarg.3 2001/03/29 15:48:07 @@ -120,7 +120,7 @@ .Fa type is not compatible with the type of the actual next argument (as promoted according to the default argument promotions), -random errors will occur. +random errors will occur, which might lead to a security risk. .Pp The first use of the .Fn va_arg Index: lib/libc/gen/err.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/err.3,v retrieving revision 1.11.2.4 diff -u -r1.11.2.4 err.3 --- lib/libc/gen/err.3 2001/03/05 08:42:22 1.11.2.4 +++ lib/libc/gen/err.3 2001/03/29 15:48:07 @@ -97,9 +97,16 @@ and a space are output. If the .Fa fmt -argument is not NULL, the -.Xr printf 3 --like formatted error message is output. +argument is not NULL, then further output is controlled by treating +it as a format string that specifies how subsequent arguments (or +arguments accessed via the variable-length argument facilities of +.Xr stdarg 3 ) +are converted for output, in the same way as +.Xr printf 3 . +If the format string specifies an argument that does not exist, or +a type different from that actually given, random errors, that +could cause a security risk, may occur. +.Pp The output is terminated by a newline character. .Pp The Index: lib/libc/gen/setproctitle.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/setproctitle.3,v retrieving revision 1.16.2.2 diff -u -r1.16.2.2 setproctitle.3 --- lib/libc/gen/setproctitle.3 2000/12/08 13:49:24 1.16.2.2 +++ lib/libc/gen/setproctitle.3 2001/03/29 15:48:07 @@ -39,13 +39,17 @@ .Xr ps 1 command. .Pp -The title is set from the executable's name, followed by the -result of a -.Xr printf 3 -style expansion of the arguments as specified by the +If +.Va fmt +is not NULL, then the title is set from the executable's name, +followed by the result of treating .Va fmt -argument. -If the +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 . +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. If the .Va fmt argument begins with a .Dq - Index: lib/libc/gen/syslog.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/syslog.3,v retrieving revision 1.9.2.4 diff -u -r1.9.2.4 syslog.3 --- lib/libc/gen/syslog.3 2001/03/06 16:45:55 1.9.2.4 +++ lib/libc/gen/syslog.3 2001/03/29 15:48:07 @@ -48,9 +48,9 @@ .Fd #include <syslog.h> .Fd #include <varargs.h> .Ft void -.Fn syslog "int priority" "const char *message" "..." +.Fn syslog "int priority" "const char *fmt" "..." .Ft void -.Fn vsyslog "int priority" "const char *message" "va_list args" +.Fn vsyslog "int priority" "const char *fmt" "va_list args" .Ft void .Fn openlog "const char *ident" "int logopt" "int facility" .Ft void @@ -60,33 +60,34 @@ .Sh DESCRIPTION The .Fn syslog -function -writes -.Fa message -to the system message logger. +function writes a message to the system message logger. The message is then written to the system console, log files, logged-in users, or forwarded to other machines as appropriate. (See .Xr syslogd 8 . ) .Pp -The message is identical to a -.Xr printf 3 -format string, except that +The message is created by treating +.Va fmt +as a format string that specifies how subsequent arguments are +converted, in the same was as +.Xr printf 3 , +with an additional convertion specifier of .Ql %m -is replaced by the current error -message. -(As denoted by the global variable +which is replaced by the current error message. (As denoted by +the global variable .Va errno ; see .Xr strerror 3 . ) -A trailing newline is added if none is present. +If the format string specifies arguments that do not exist, or it +specifies a type different from that actually given, random errors, +that could cause a security risk, may occur. A trailing newline +is added if none is present. .Pp The .Fn vsyslog -function -is an alternate form in which the arguments have already been captured -using the variable-length argument facilities of -.Xr varargs 3 . +function is an alternate form in which the arguments have already +been captured using the variable-length argument facilities of +.Xr stdarg 3 . .Pp The message is tagged with .Fa priority . Index: lib/libc/stdio/printf.3 =================================================================== RCS file: /upstream-repositories/freebsd.org/src/lib/libc/stdio/printf.3,v retrieving revision 1.17.2.5 diff -u -r1.17.2.5 printf.3 --- lib/libc/stdio/printf.3 2001/03/06 16:46:01 1.17.2.5 +++ lib/libc/stdio/printf.3 2001/03/29 15:48:07 @@ -170,7 +170,11 @@ the character .Cm % . The arguments must correspond properly (after type promotion) -with the conversion specifier. +with the conversion specifier. If they do not random errors, +which could cause a security risk, may occur. In particular, +user-supplied data should never be included in the format string +without checking that it is safe (eg, does not contain %s +and other character sequences with special meaning). After the .Cm % , the following appear in sequence: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E14k0wy-0006UD-00>