RE: [Format String vulnerabilities]

["Chris Eagle" <cseagle () redshift com>]

Gerardo Richarte wrote:
> > Surely however the format string *itself* isn't passed on the stack
> > but a pointer to the format string. therefore the %x modifer would
> > return a hex representation of the address pointing to the string, *not*
> > a hex representation of the string contents?
>
>       Everything you said is correct, except for 2 things:
>
>       . the fact that the format string itself is not in the
> stack. This is actually why there is a buf[1024] and a
> strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.
...
>       the code is:
>
> > fmt1.c ----------------------------------------------------
> >
> > int main(int argc, char *argv[]) {
> >   char buf[1024];
> >
> >   strncpy(buf, argv[1], sizeof(buf));
> >   printf(argv[1]);
> >   printf("\n");
> > }
> > ------------------------------------------------------------

argv[1] is already on the stack, there is no need for the strncpy call to
copy the format string to the stack.  In fact, in this case, the call places
a second copy of argv[1] on the stack.

Chris