Re: stackguard-like embedded protection

[Michael Wojcik <Michael.Wojcik () MERANT COM>]

> -----Original Message-----
> From: H D Moore [mailto:hdm () SECUREAUSTIN COM]
> Sent: Tuesday, September 05, 2000 10:35 PM

> I know I am going to sound like a moron, but why do these bugs exist in
> the first place?

Because lazy programmers pass unknown strings as the format-string argument
to the printf/scanf function family, rather than use a format-string of
"%s".  This is incorrect practice by pretty much any measure (the format
string conceptually specifies data layout and captioning, not the primary
data itself), but unfortunately not uncommon.

>  Why cant the *printf functions take an argc parameter
> and refuse to expand format strings after that number has
> been reached?

Because the printf/scanf functions were defined a long time ago, and are
very widely used, and that's not how they work.

And, more importantly, it's unnecessary.  Every instance of

        printf(user_data);

can become

        printf("%s", user_data);

and the problem is gone.  No new argument-count parameter is required.

> I know this would break most apps instantly, but its such a small change
> it wouldn't be hard to fix.  Is POSIX compliance responsible for this or
> am I missing some crucial detail?

It's possible to fix broken applications without changing the API - and so
without breaking the ones that work.

Michael Wojcik             michael.wojcik () merant com
MERANT
Department of English, Miami University