
Now you C me, now you don't - pcw888
https://securitylab.github.com/research/now-you-c-me
======
MaxBarraclough
> In a nutshell, format string bugs are a class of bugs in which an attacker
> provides their own format string data into a formatting function, e.g.
> printf(attacker_controlled)

It might be an odd thing to have a strong opinion about, but I consider it
poor form to use _printf_ in a C hello world, for this reason. Stick with
_puts_ unless you need to use format-specifiers in the string.

~~~
IncRnd
Printf is perfectly acceptable when a string is being printed without format-
specifiers. You are abstracting your limited experience to be true for all
situations.

For a simple example, how will puts print a string without a line termination?

~~~
orwin
Hence, use write()!

Not completely joking here, I think everytime I've had to use strings to make
two C programs communicate over a network, write() was as easy to use as
printf(). Obviously it's not true when communicating with a user.

~~~
IncRnd
That's not a bad point for many cases. I was pointing out that the coding rule
in the upper comment to always use puts, and never printf, is bad advice.

I am glad to hear you mention network coding. More people should do that, so
fewer people make statements like, "always use puts for writing strings, never
printf."

------
rurban
It's still a minefield, and nobody is doing anything against it.

printf %n is known to be dangerous for ages, and the secure variant printf_s
which forbids it is nowhere implemented because politics. Almost nobody uses
the -Wformat attributes in its declarations, and the wide variants of
__attribute__(format(wprintf)) and wscanf are waiting to be implemented since
2008. Patches do exist for ages.

~~~
projektfu
For those of us who forgot this odd behavior:

%n: Print nothing, but writes the number of characters successfully written so
far into an integer pointer parameter.

~~~
lewiscollard
That's frightening. Is there any legit use case for this in the real world
that would stop, e.g., glibc from removing it altogether?

~~~
projektfu
I got curious and looked through sources. I'm not sure where it was added, but
it appeared between 4.3BSD and the 4.3BSD Tahoe edition according to the man
pages. It did not seem to be present in System III. Searching for actual uses,
I didn't find any that weren't testing the functionality (unit tests) or
hacking the stack.

