Vulnerability Development mailing list archives
RE: [Format String vulnerabilities]
From: "Chris Eagle" <cseagle () redshift com>
Date: Sat, 29 May 2004 04:00:21 -0700
Gerardo Richarte wrote:
Surely however the format string *itself* isn't passed on the stack but a pointer to the format string. therefore the %x modifer would return a hex representation of the address pointing to the string, *not* a hex representation of the string contents?Everything you said is correct, except for 2 things: . the fact that the format string itself is not in the stack. This is actually why there is a buf[1024] and a strncpy(buf,argv[1],sizeof(buf)): to copy the format string to the stack.
...
the code is:fmt1.c ---------------------------------------------------- int main(int argc, char *argv[]) { char buf[1024]; strncpy(buf, argv[1], sizeof(buf)); printf(argv[1]); printf("\n"); } ------------------------------------------------------------
argv[1] is already on the stack, there is no need for the strncpy call to copy the format string to the stack. In fact, in this case, the call places a second copy of argv[1] on the stack. Chris
Current thread:
- [Format String vulnerabilities] auto198368 (May 22)
- Re: [Format String vulnerabilities] Frank Knobbe (May 29)
- Re: [Format String vulnerabilities] Gerardo Richarte (May 29)
- RE: [Format String vulnerabilities] Chris Eagle (May 29)
- <Possible follow-ups>
- Re: [Format String vulnerabilities] DownBload (May 23)