From owner-freebsd-doc Mon Apr 2 18:40: 6 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 70A5637B724 for ; Mon, 2 Apr 2001 18:40:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f331e2556686; Mon, 2 Apr 2001 18:40:02 -0700 (PDT) (envelope-from gnats) Date: Mon, 2 Apr 2001 18:40:02 -0700 (PDT) Message-Id: <200104030140.f331e2556686@freefall.freebsd.org> To: freebsd-doc@freebsd.org Cc: From: Dima Dorfman Subject: Re: docs/26286: format string warnings in man pages. Reply-To: Dima Dorfman Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR docs/26286; it has been noted by GNATS. From: Dima Dorfman To: mike@urgle.com Cc: FreeBSD-gnats-submit@freebsd.org Subject: Re: docs/26286: format string warnings in man pages. Date: Mon, 02 Apr 2001 18:38:26 -0700 Mike Bristow writes: > >Number: 26286 > >Category: docs > >Synopsis: *printf(3) etc should gain format string warnings > > Index: lib/libc/gen/err.3 > =================================================================== > RCS file: /upstream-repositories/freebsd.org/src/lib/libc/gen/err.3,v > retrieving revision 1.11.2.4 > diff -u -r1.11.2.4 err.3 > --- lib/libc/gen/err.3 2001/03/05 08:42:22 1.11.2.4 > +++ lib/libc/gen/err.3 2001/03/29 15:48:07 > @@ -97,9 +97,16 @@ > and a space are output. > If the > .Fa fmt > -argument is not NULL, the > -.Xr printf 3 > --like formatted error message is output. > +argument is not NULL, then further output is controlled by treating > +it as a format string that specifies how subsequent arguments (or > +arguments accessed via the variable-length argument facilities of > +.Xr stdarg 3 ) > +are converted for output, in the same way as > +.Xr printf 3 . > +If the format string specifies an argument that does not exist, or > +a type different from that actually given, random errors, that > +could cause a security risk, may occur. > +.Pp [ Picking a random part of the patch to use as context. ] The idea behind this is great, but I don't really like how the above text is duplicated everywhere. It seems unnatural. Ideally, the above would be replaced with a "see something(3) for information on what [a format string] implies". Unfortunately, I don't know what this something(3) should be; printf(3) is the first thing that comes to mind, but printf(3) documents a particular function; it just so happens that most C programmers' first sight of a format string was in the context of a call to printf(). To demonstrate the importance of not duplicating this stuff, I point out this [shortcoming]: the text above, which is pretty much the same in all your other changes, doesn't mention the fact that using a dynamic format string--more accurately, one which an outsider (user) can control--can lead to disaster just as quickly as specifying the wrong type of arguments. Although technically it's the same problem (i.e., someone specifies a format the programmer didn't know about, leading, e.g., err(3) to think argument x is of type y when it's really of type z, or just nonexistent), it's a very common error (this is what's recently became known as a "format string bug"). Regards, Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message