Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: Crispin Cowan <crispin () WIREX COM>
Date: Wed, 6 Sep 2000 11:20:46 -0700
H D Moore wrote:
I know I am going to sound like a moron, but why do these bugs exist in the first place? Why cant the *printf functions take an argc parameter and refuse to expand format strings after that number has been reached? I know this would break most apps instantly, but its such a small change it wouldn't be hard to fix. Is POSIX compliance responsible for this or am I missing some crucial detail?
It's just tricky: printf uses varargs, a gross kludge that lets C functions accept a variable number of arguments. C doesn't normally support polymorphic functions, so you have to use these weird varargs kludges to parse your way up the argument stack, guessing all the while that the arguments are what you think they are. The attached post by Mike Frantzen of Purdue (cc'd) to Bugtraq is an excellent first stab at this problem. Mike uses a sequence of macros (print1, print2, print3, etc.) to capture the argument count to printf. These macros in turn call code that counts the number of % symbols in the format string, and bitch if there are too many arguments. The limitation on this work is that it only handles a fixed number of arguments. Fun with a text editor can raise that limit so high that you mostly don't care. You also need to craft such wrappers for all the various & sundry *printf* functions, but that too seems feasible. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org Olympics: The Corruption Games
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection antirez (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection typo (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection Benjamin Karas (Sep 05)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Greg KH (Sep 05)
- Re: stackguard-like embedded protection Juliano Rizzo (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection H D Moore (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Message not available
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)