Bugtraq mailing list archives

Re: StackGuard with ... Re: [Paper] Format bugs.

From: Linus Akesson <lairfight () SOFTHOME NET>
Date: Mon, 24 Jul 2000 23:35:43 +0000

In accordance with the prophecy, mixter () 2XS CO IL uttered:

(snip)

It is a bad idea to have any format functions accept format strings
that aren't hard coded at compile time. All these functions need to have
one format argument at one location, which definitely needs to be a hard-coded
string, (using and enforcing const). Per definition, it is arguably possible
to supply variable format strings in a program, but it is rarely practically
used, and it shouldn't be practically used. At least, when supplying any format
function a non-constant format argument, the compiler should spit out a big
warning, and it should do that by default without warnings enabled.


But non-constant format arguments aren't evil; They are very useful in e.g.
program localization:

        printf(getTranslatedMessage(MSG_SYNTAX), argument1);

instead of:

        if(english)
                printf("Syntax error in %s!\n", argument1);
        if(swedish)
                printf("Allan tar kakan i %s baud.\n", argument1);

The second version uses constant format strings, but involves editing the
source code at lots of places all over the source tree (and recompiling) just
to translate the program to another language. The first version would keep all
the locale routines centralized around the getTranslatedMessage() interface,
which might even read format strings from an external text file.

Obviously, such an external text file could contain invalid format strings, so
a secure program would need to check permissions on it. It would be possible
to fall back to hardcoded language strings, but then they wouldn't have to be
all over the source code & make it unreadibly clumsy and if{}-overpopulated.

Conclusion: Trust your own routines that return strings. Distrust user input.
Don't tell them apart by checking whether or not they are string constants.

Linus
----------------------------------------------------------------------------
           The more corrupt the state, the more numerous the laws.
                                           -- Tacitus, 56-120 A.D.
----------------------------------------------------------------------------

Current thread:

Re: (New ?) Macro security hole in Word 97, (continued)
- - - Re: (New ?) Macro security hole in Word 97 Bronek Kozicki (Jul 22)
    - Jakarta-tomcat.../admin Scott Morris (Jul 21)
    - StackGuard with ... Re: [Paper] Format bugs. Alan DeKok (Jul 21)
    - [RHSA-2000:044-02] Updated PAM packages are available. bugzilla () REDHAT COM (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Theo de Raadt (Jul 21)
    - Roxen security alert: Problems with URLs containing null characters. Peter Bortas (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 21)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Brett Glass (Jul 25)
    - Re: StackGuard with ... Re: [Paper] Format bugs. mixter (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Linus Akesson (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Dan Harkless (Jul 25)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Valentin Nechayev (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Greg A. Woods (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Dick St.Peters (Jul 25)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Hannah Schröter (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Stephen J. Friedl (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Casper Dik (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. stanislav shalunov (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Daniel Jacobowitz (Jul 24)
    - Re: StackGuard with ... Re: [Paper] Format bugs. Alan DeKok (Jul 22)

(Thread continues...)