From owner-freebsd-hackers  Fri Sep  8  9:55:39 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from mail.rpi.edu (mail.rpi.edu [128.113.100.7])
	by hub.freebsd.org (Postfix) with ESMTP
	id C3A1737B424; Fri,  8 Sep 2000 09:55:32 -0700 (PDT)
Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47])
	by mail.rpi.edu (8.9.3/8.9.3) with ESMTP id MAA353916;
	Fri, 8 Sep 2000 12:55:29 -0400
Mime-Version: 1.0
X-Sender: drosih@mail.rpi.edu
Message-Id: <v04210103b5dec9274caa@[128.113.24.47]>
In-Reply-To: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>
References: <F159yCTr9rf3yXvEbjk00001dc1@hotmail.com>
Date: Fri, 8 Sep 2000 12:57:08 -0400
To: "John Doh!" <johndoh_@hotmail.com>, security@FreeBSD.ORG,
	hackers@FreeBSD.ORG
From: Garance A Drosihn <drosih@rpi.edu>
Subject: Re: How to stop problems from printf
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 6:27 PM -0400 9/7/00, John Doh! wrote:
>Hello to you am I C coder who to wish write programs we cannot 
>exploit via code such as below.
>
>>
>> main(int argc, char **argv)
>> {
>>   if(argc > 1) {
>>     printf(gettext("usage: %s filename\n"),argv[0]);
>>     exit(0);
>>  }
>>  printf("normal execution proceeds...\n");
>> }
>
>Issue is must be getting format string from "untrusted" place, but want
>to limit substitution of %... to the substitution of say in example the
>argv[0], but to not do others so that say given "usage: %s filename %p"
>%p not interpret but to be print instead as literally so we get output
>of (saying to be argv[0] as test just for example)
>usage: test filename %p

Since gettext is getting a string from an untrusted place, you should
treat it as you would treat a string being typed in from a user.

For the example you give, you know that you are expecting ONE %s
argument, and that ONE %s is the only substitution you will allow.

So, have gettext return it's value into some string.  Then, YOU search
that string for '%s'.  then you do a printf of:
    printf("%s%s%s", textBefore%s, argv[0], textAfter%s);

For the given example, this is pretty trivial.  If you have several
different values you will substitute in the string returned by
gettext, then it gets a bit more cumbersome.  My suggestion is a
fine solution for your example (IMO :-), but if you did have more
substitutions then I might try some alternate strategy.

One has to be careful about buffer overflows in that temp string,
of course.


---
Garance Alistair Drosehn           =   gad@eclipse.acs.rpi.edu
Senior Systems Programmer          or  drosih@rpi.edu
Rensselaer Polytechnic Institute


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message