Date: Sun, 25 Jun 2000 22:01:39 -0600 From: Wes Peters <wes@softweyr.com> To: dima@rdy.com Cc: Koga Youichirou <y-koga@jp.FreeBSD.org>, wollman@khavrinen.lcs.mit.edu, silby@silby.com, freebsd-security@FreeBSD.ORG Subject: Re: Fwd: WuFTPD: Providing *remote* root since at least1994 Message-ID: <3956D5A3.1C2E8D06@softweyr.com> References: <200006251838.LAA01288@sivka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dima Ruban wrote:
>
> Wes Peters writes:
> > Dima Ruban wrote:
> > >
> > > What's the purpose of this patch?
> > > I didn't look at the code, but to me it sounds like it's pretty much
> > > irrelevant whether you gonna use ``foo(fmt, string)'' or ``foo(string)''
> >
> > If string contains formatting codes, foo("%s", string) does the right
> > thing and just puts out the formatting codes in the string. foo(string)
> > tries to interpret the embedded format codes and blows the stack.
> >
>
> Well, if in addition to "fmt" argument, string will contain formatting code[s],
> the result will be just the same. (at least with printf() family).
Since when did printf try to interpret formatting codes within an argument
string? In fact, it does not:
wes@homer$ cat foo.c
main()
{
char *s = "This is a %s string.\n";
printf("\nWith format string:\n");
printf("%s", s);
printf("\nWithout format string:\n");
printf(s);
}
wes@homer$ ./foo
With format string:
This is a %s string.
Without format string:
This is a This is a %s string.
string.
Notice the second output is scrambled, as printf apparently finds a
pointer to the string on the stack and prints it within itself. Oops.
As you can see, the first printf using the %s code worked fine.
--
"Where am I, and what am I doing in this handbasket?"
Wes Peters Softweyr LLC
wes@softweyr.com http://softweyr.com/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3956D5A3.1C2E8D06>