3.2. Preventing Attacks on Formatting Functions
Problem
You use functions such as
printf( )
or syslog(
)
in
your program, and you want to ensure that you use them in such a way
that an attacker cannot coerce them into behaving in ways that you do
not intend.
Solution
Functions such as the printf( )
family of
functions provide a flexible and powerful way to format data easily.
Unfortunately, they can be extremely dangerous as well. Following the
guidelines outlined in the following
Section 3.2.3 will allow you
to easily avert many of the problems with these functions.
Discussion
The printf( )
family of functions—and other
functions that use them, such as syslog( )
on Unix
systems—all require an argument that specifies a format, as
well as a variable number of additional arguments that are
substituted at various locations in the format string to produce
formatted output. The functions come in two major varieties:
Those that output to a file (
printf( )
outputs tostdout
)Those that output to a string
Both can be dangerous, but the latter variety is significantly more so.
The format string is copied, character by character, until a percent ( %) symbol is encountered. The characters that immediately follow the percent symbol determine what will be output in their place. For each substitution in the format string, the next argument in the variable argument list is used. Because of the way that variable-sized argument lists work in C (see Recipe 13.4), the functions assume that the number ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.