Add warnings about trusting user-supplied data.

Reviewed by:	ru
Approved by:	murray
Obtained from:	OpenBSD

3 files changed, 43 insertions, 2 deletions

diff --git a/lib/libc/gen/setproctitle.3 b/lib/libc/gen/setproctitle.3
index eed8f81..15538d5 100644
--- a/lib/libc/gen/setproctitle.3
+++ b/lib/libc/gen/setproctitle.3
@@ -25,8 +25,7 @@
 .Dt SETPROCTITLE 3
 .Sh NAME
 .Nm setproctitle
-.Nd set the process title for
-.Xr ps 1
+.Nd set process title
 .Sh SYNOPSIS
 .Fd #include <sys/types.h>
 .Fd #include <unistd.h>
@@ -99,3 +98,17 @@ stole the idea from the
 .Sy "Sendmail 8.7.3"
 source code by
 .An Eric Allman Aq eric@sendmail.org .
+.Sh BUGS
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack, 
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn setproctitle .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl setproctitle("%s", string);
diff --git a/lib/libc/gen/syslog.3 b/lib/libc/gen/syslog.3
index a276323..7513d60 100644
--- a/lib/libc/gen/syslog.3
+++ b/lib/libc/gen/syslog.3
@@ -280,3 +280,17 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m");
 These
 functions appeared in
 .Bx 4.2 .
+.Sh BUGS
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack, 
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn syslog .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl syslog("%s", string);
diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3
index 30b02a6..590c1c0 100644
--- a/lib/libc/stdio/printf.3
+++ b/lib/libc/stdio/printf.3
@@ -664,3 +664,17 @@ For safety, programmers should use the
 .Fn snprintf
 interface instead.
 Unfortunately, this interface is not portable.
+.Pp
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn printf .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl snprintf(buffer, sizeof(buffer), "%s", string);