diff options
Diffstat (limited to 'lib/libc/stdio')
| -rw-r--r-- | lib/libc/stdio/fgets.3 | 26 | ||||
| -rw-r--r-- | lib/libc/stdio/printf.3 | 142 | ||||
| -rw-r--r-- | lib/libc/stdio/tmpnam.3 | 22 | ||||
| -rw-r--r-- | lib/libc/stdio/wprintf.3 | 6 |
4 files changed, 98 insertions, 98 deletions
diff --git a/lib/libc/stdio/fgets.3 b/lib/libc/stdio/fgets.3 index aa8e2ac..fba7353 100644 --- a/lib/libc/stdio/fgets.3 +++ b/lib/libc/stdio/fgets.3 @@ -128,6 +128,19 @@ may also fail and set .Va errno for any of the errors specified for the routine .Xr getchar 3 . +.Sh SEE ALSO +.Xr feof 3 , +.Xr ferror 3 , +.Xr fgetln 3 , +.Xr fgetws 3 , +.Xr getline 3 +.Sh STANDARDS +The functions +.Fn fgets +and +.Fn gets +conform to +.St -isoC-99 . .Sh SECURITY CONSIDERATIONS The .Fn gets @@ -143,16 +156,3 @@ It is strongly suggested that the function be used in all cases. (See the FSA.) -.Sh SEE ALSO -.Xr feof 3 , -.Xr ferror 3 , -.Xr fgetln 3 , -.Xr fgetws 3 , -.Xr getline 3 -.Sh STANDARDS -The functions -.Fn fgets -and -.Fn gets -conform to -.St -isoC-99 . diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 2c031f7..90a8ed8 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -709,77 +709,6 @@ char *newfmt(const char *fmt, ...) return (p); } .Ed -.Sh SECURITY CONSIDERATIONS -The -.Fn sprintf -and -.Fn vsprintf -functions are easily misused in a manner which enables malicious users -to arbitrarily change a running program's functionality through -a buffer overflow attack. -Because -.Fn sprintf -and -.Fn vsprintf -assume an infinitely long string, -callers must be careful not to overflow the actual space; -this is often hard to assure. -For safety, programmers should use the -.Fn snprintf -interface instead. -For example: -.Bd -literal -void -foo(const char *arbitrary_string, const char *and_another) -{ - char onstack[8]; - -#ifdef BAD - /* - * This first sprintf is bad behavior. Do not use sprintf! - */ - sprintf(onstack, "%s, %s", arbitrary_string, and_another); -#else - /* - * The following two lines demonstrate better use of - * snprintf(). - */ - snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, - and_another); -#endif -} -.Ed -.Pp -The -.Fn printf -and -.Fn sprintf -family of functions are also easily misused in a manner -allowing malicious users to arbitrarily change a running program's -functionality by either causing the program -to print potentially sensitive data -.Dq "left on the stack" , -or causing it to generate a memory fault or bus error -by dereferencing an invalid pointer. -.Pp -.Cm %n -can be used to write arbitrary data to potentially carefully-selected -addresses. -Programmers are therefore strongly advised to never pass untrusted strings -as the -.Fa format -argument, as an attacker can put format specifiers in the string -to mangle your stack, -leading to a possible security hole. -This holds true even if the string was built using a function like -.Fn snprintf , -as the resulting string may still contain user-supplied conversion specifiers -for later interpolation by -.Fn printf . -.Pp -Always use the proper secure idiom: -.Pp -.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" .Sh COMPATIBILITY Many application writers used the name .Va dprintf @@ -906,3 +835,74 @@ The family of functions do not correctly handle multibyte characters in the .Fa format argument. +.Sh SECURITY CONSIDERATIONS +The +.Fn sprintf +and +.Fn vsprintf +functions are easily misused in a manner which enables malicious users +to arbitrarily change a running program's functionality through +a buffer overflow attack. +Because +.Fn sprintf +and +.Fn vsprintf +assume an infinitely long string, +callers must be careful not to overflow the actual space; +this is often hard to assure. +For safety, programmers should use the +.Fn snprintf +interface instead. +For example: +.Bd -literal +void +foo(const char *arbitrary_string, const char *and_another) +{ + char onstack[8]; + +#ifdef BAD + /* + * This first sprintf is bad behavior. Do not use sprintf! + */ + sprintf(onstack, "%s, %s", arbitrary_string, and_another); +#else + /* + * The following two lines demonstrate better use of + * snprintf(). + */ + snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, + and_another); +#endif +} +.Ed +.Pp +The +.Fn printf +and +.Fn sprintf +family of functions are also easily misused in a manner +allowing malicious users to arbitrarily change a running program's +functionality by either causing the program +to print potentially sensitive data +.Dq "left on the stack" , +or causing it to generate a memory fault or bus error +by dereferencing an invalid pointer. +.Pp +.Cm %n +can be used to write arbitrary data to potentially carefully-selected +addresses. +Programmers are therefore strongly advised to never pass untrusted strings +as the +.Fa format +argument, as an attacker can put format specifiers in the string +to mangle your stack, +leading to a possible security hole. +This holds true even if the string was built using a function like +.Fn snprintf , +as the resulting string may still contain user-supplied conversion specifiers +for later interpolation by +.Fn printf . +.Pp +Always use the proper secure idiom: +.Pp +.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" diff --git a/lib/libc/stdio/tmpnam.3 b/lib/libc/stdio/tmpnam.3 index 66652b7..937068f 100644 --- a/lib/libc/stdio/tmpnam.3 +++ b/lib/libc/stdio/tmpnam.3 @@ -217,6 +217,17 @@ for any of the errors specified for the library functions .Xr malloc 3 or .Xr mktemp 3 . +.Sh SEE ALSO +.Xr mkstemp 3 , +.Xr mktemp 3 +.Sh STANDARDS +The +.Fn tmpfile +and +.Fn tmpnam +functions +conform to +.St -isoC . .Sh SECURITY CONSIDERATIONS The .Fn tmpnam @@ -235,14 +246,3 @@ It is strongly suggested that be used in place of these functions. (See the FSA.) -.Sh SEE ALSO -.Xr mkstemp 3 , -.Xr mktemp 3 -.Sh STANDARDS -The -.Fn tmpfile -and -.Fn tmpnam -functions -conform to -.St -isoC . diff --git a/lib/libc/stdio/wprintf.3 b/lib/libc/stdio/wprintf.3 index 3e91846..fecb586 100644 --- a/lib/libc/stdio/wprintf.3 +++ b/lib/libc/stdio/wprintf.3 @@ -588,9 +588,6 @@ In no case does a non-existent or small field width cause truncation of a numeric field; if the result of a conversion is wider than the field width, the field is expanded to contain the conversion result. -.Sh SECURITY CONSIDERATIONS -Refer to -.Xr printf 3 . .Sh SEE ALSO .Xr btowc 3 , .Xr fputws 3 , @@ -616,3 +613,6 @@ and functions conform to .St -isoC-99 . +.Sh SECURITY CONSIDERATIONS +Refer to +.Xr printf 3 . |
