Date: Fri, 20 Apr 2001 01:10:26 +0400 From: "D. K." <dk@homepage.ru> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, security@FreeBSD.ORG Subject: Re: FreeBSD grow bug Message-ID: <3ADF5442.BD703D6@homepage.ru> References: <3ADF4DD0.17AB0F64@homepage.ru> <200104192042.QAA40625@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote:
>
> <<On Fri, 20 Apr 2001 00:42:56 +0400, "D. K." <dk@homepage.ru> said:
>
> > int main(int argc, char *argv) {
> > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7);
> > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8);
> > printf("no grow bug\n");
> > return 0;
> > }
>
> This code is erroneous. If the format string does not reference all
> positional arguments up to and including the numerically greatest one
> named, the result of *printf() is undefined. This is not a security
> matter; replies to <freebsd-standards@bostonradio.org>, please.
You are not right;) See format string reference
or next example:
#include <stdio.h>
int main(int argc, char *argv) {
char buf[100];
sprintf(buf, "%d%d%d%d%d%d%d %7$x\n", 1, 2, 3, 4, 5, 6, 7);
printf("%s", buf);
sprintf(buf, "%d%d%d%d%d%d%d%d %8$x\n", 1, 2, 3, 4, 5, 6, 7, 8);
printf("%s", buf);
printf("no grow bug\n");
return 0;
}
Best Regards,
Dmitry Kopteloff
---
LG Soft Lab.
Information Security Group, RUSSIA
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3ADF5442.BD703D6>