From owner-freebsd-security Thu Apr 19 14: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from homepage.ru (homepage.ru [195.242.9.13]) by hub.freebsd.org (Postfix) with ESMTP id ECA9037B423 for ; Thu, 19 Apr 2001 14:05:58 -0700 (PDT) (envelope-from dk@homepage.ru) Received: from homepage.ru (spb-3-28.dialup.peterlink.ru [195.242.18.28]) by homepage.ru (8.9.3/8.9.3) with ESMTP id BAA68044; Fri, 20 Apr 2001 01:06:57 +0400 (MSD) (envelope-from dk@homepage.ru) Message-ID: <3ADF5442.BD703D6@homepage.ru> Date: Fri, 20 Apr 2001 01:10:26 +0400 From: "D. K." X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman , security@FreeBSD.ORG Subject: Re: FreeBSD grow bug References: <3ADF4DD0.17AB0F64@homepage.ru> <200104192042.QAA40625@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > int main(int argc, char *argv) { > > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > > printf("no grow bug\n"); > > return 0; > > } > > This code is erroneous. If the format string does not reference all > positional arguments up to and including the numerically greatest one > named, the result of *printf() is undefined. This is not a security > matter; replies to , please. You are not right;) See format string reference or next example: #include int main(int argc, char *argv) { char buf[100]; sprintf(buf, "%d%d%d%d%d%d%d %7$x\n", 1, 2, 3, 4, 5, 6, 7); printf("%s", buf); sprintf(buf, "%d%d%d%d%d%d%d%d %8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); printf("%s", buf); printf("no grow bug\n"); return 0; } Best Regards, Dmitry Kopteloff --- LG Soft Lab. Information Security Group, RUSSIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message