Re: stackguard-like embedded protection

[Crispin Cowan <crispin () WIREX COM>]

H D Moore wrote:

> I know I am going to sound like a moron, but why do these bugs exist in
> the first place?  Why cant the *printf functions take an argc parameter
> and refuse to expand format strings after that number has been reached?
> I know this would break most apps instantly, but its such a small change
> it wouldn't be hard to fix.  Is POSIX compliance responsible for this or
> am I missing some crucial detail?

It's just tricky:  printf uses varargs, a gross kludge that lets C functions
accept a variable number of arguments.  C doesn't normally support polymorphic
functions, so you have to use these weird varargs kludges to parse your way up
the argument stack, guessing all the while that the arguments are what you think
they are.

The attached post by Mike Frantzen of Purdue (cc'd) to Bugtraq is an excellent
first stab at this problem.  Mike uses a sequence of macros (print1, print2,
print3, etc.) to capture the argument count to printf.  These macros in turn
call code that counts the number of % symbols in the format string, and bitch if
there are too many arguments.

The limitation on this work is that it only handles a fixed number of
arguments.  Fun with a text editor can raise that limit so high that you mostly
don't care.  You also need to craft such wrappers for all the various & sundry
*printf* functions, but that too seems feasible.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games