[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: mass bug filing for undefined sn?printf use

On Tue, 2008-12-30 at 10:41 -0600, Steve Langasek wrote:
> On Tue, Dec 30, 2008 at 10:06:41AM +0100, Arthur de Jong wrote:
> > On Sun, 2008-12-28 at 12:02 -0600, Steve Langasek wrote:
> > > I don't know whether these are also a problem in practice - but if so,
> > > using sprintf(buf + strlen(buf) [...]) is definitely wrong.
> > I don't know if any of my code uses such a construct but why is that
> > wrong as long as [...] doesn't contain buf?
> That's not the context of this discussion; we were talking about buggy code
> that *did* use buf as one of the args to the format string.

Ok, I misunderstood. Thanks.

In that case there can be a great number of situations in which the
buffer may be filled with it's own content (eg. pass the same array as
two arguments to a function and use the above construct in that
function, assignments to temporary variables, etc, etc). Very hard to
check for.

Perhaps this would be a good test for tools such as split, rats or
flawfinder (none of them currently warn about this problem and neither
do any gcc flags that I commonly use). Those kind of tools already to
quite some analysis of source code so perhaps it isn't too difficult to
implement it there.

I've just performed a test with the following code on my system (sid,
hardening-wrapper not installed, compiled with gcc without any extra

  char buf[20];

which returned


so in any case the behaviour is not as could be naively expected

-- arthur - adejong@debian.org - http://people.debian.org/~adejong --

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: