OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: stackguard-like embedded protection
From: Michael Wojcik (Michael.WojcikMERANT.COM)
Date: Wed Sep 06 2000 - 13:54:47 CDT

> -----Original Message-----
> From: H D Moore [mailto:hdmSECUREAUSTIN.COM]
> Sent: Tuesday, September 05, 2000 10:35 PM

> I know I am going to sound like a moron, but why do these bugs exist in
> the first place?

Because lazy programmers pass unknown strings as the format-string argument
to the printf/scanf function family, rather than use a format-string of
"%s". This is incorrect practice by pretty much any measure (the format
string conceptually specifies data layout and captioning, not the primary
data itself), but unfortunately not uncommon.

> Why cant the *printf functions take an argc parameter
> and refuse to expand format strings after that number has
> been reached?

Because the printf/scanf functions were defined a long time ago, and are
very widely used, and that's not how they work.

And, more importantly, it's unnecessary. Every instance of

        printf(user_data);

can become

        printf("%s", user_data);

and the problem is gone. No new argument-count parameter is required.

> I know this would break most apps instantly, but its such a small change
> it wouldn't be hard to fix. Is POSIX compliance responsible for this or
> am I missing some crucial detail?

It's possible to fix broken applications without changing the API - and so
without breaking the ones that work.

Michael Wojcik michael.wojcikmerant.com
MERANT
Department of English, Miami University