Jeff Macdonald wrote:
Passing an unchecked string as a printf format is an ancient unix bug.
Ah, so vargs type stuff. Still, I'll have to run it through a debugger
myself to understand. I would think one would have a loop of some
sort. I would of thought if there were no args it would just end.
Nope, because th '%' is telling the parser to expect an argument.
A debugger will generally not tell you these things, but good Heap
Managers (which may be part of the better debugger) can give some
buffer overflow and underflow detection. But its not perfect and stack
overhead wrapping code is the direction with newer compilers to help
protect against stack corruptions.
The question of harm depends on many factors but in principle, for
your example:
log_write(0, LOG_MAIN, (char *)logmsg)
you need to escape any '%' character (double it) in the logmsg asciiz
string because its the format string for the va RTL library.
Could it cause harm? It depends on:
- what is the next character following %, and
- what (junk) is already in memory.
For example, if the next character is:
%s
%d
%s forces the parser to look for first zero (NULL) in memory and if it
reaches a protected memory boundary - PUFF!, a Read Access GPF
(General Protection Fault) occurs - that is what a protected mode OS does.
%d is less critical because it tells the parser to only look for the
next 4 bytes (32 bit) or 8 bytes (64 bit). You may see junk in your
log file, but it won't abort the application.
Now if there was just as space, like in
"Thee is a 50% chance of rain!"
its really unknown what can happen with the C based format string
parser. Of hand, it should not be a harmful bug. But if the logmsg
can be set by some external source - thats a major exploit to plugged up.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops