[15915] in bugtraq
Re: StackGuard with ... Re: [Paper] Format bugs.
daemon@ATHENA.MIT.EDU (Brett Glass)
Sat Jul 22 19:51:22 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <4.3.2.7.2.20000721224040.04b04b90@localhost>
Date: Fri, 21 Jul 2000 22:48:57 -0600
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
X-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200007212152.e6LLqPi22099@cvs.openbsd.org>
Which brings up a more interesting question:
Don't these errors really reflect more fundamental problems in the
development tools? It seems to me that the bugs arose because:
1) Format strings in the C libraries use a sort of "in-band signalling" --
that is, they can mix text with format designators. This means that
passing the text you want to print as the format string produces results
that appear to be correct.
2) The C language itself has no way of specifying a MINIMUM number of
arguments for a function call. Had the compiler noted that setproctitle()
and similar functions need at least two arguments, the mistakes would
have been caught from the get-go.
The latter problem can be solved by insisting upon the use of macros
that mandate a minimum number of arguments and produce a warning
or error message otherwise.
The former requires changing the conventions used by the standard C
libraries, which is probably infeasible.
--Brett Glass
At 03:52 PM 7/21/2000, Theo de Raadt wrote:
>> There is no substitute, however, for a careful line-by-line audit of
>> code.
>
>In my mind, there never was.
>
>When this came up, we (Todd Miller, Todd Fries, and I) did an audit on
>our source tree for the following cases
>
> *printf()
> err*()
> warn*()
> syslog()
> setproctitle()
> hand-made log()-style functions which end up calling v*() functions
