From 48496193ae9553467f32b177c73be5f1b8fd9fd1 Mon Sep 17 00:00:00 2001 From: obrien Date: Mon, 5 Apr 2010 22:09:29 +0000 Subject: I feel this wording of the history is more clear. ANSIfy vasprintf() while I'm here. --- lib/libc/stdio/printf.3 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/libc/stdio/printf.3') diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 8de2bb8..8c1cd28 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -891,9 +891,9 @@ in .Fx 2.2 , but were later replaced with a different implementation from -.An Todd C. Miller Aq Todd.Miller@courtesan.com -for -.Ox 2.3 . +.Ox 2.3 +by +.An Todd C. Miller Aq Todd.Miller@courtesan.com . The .Fn dprintf and -- cgit v1.1 From 15a09e0259e6b17ca95de8988966d875aa47cbd0 Mon Sep 17 00:00:00 2001 From: uqs Date: Tue, 11 May 2010 23:08:15 +0000 Subject: mdoc: use macro for +- that is understood by mdocml Reviewed by: brueffer --- lib/libc/stdio/printf.3 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/libc/stdio/printf.3') diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 8c1cd28..2c031f7 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -449,7 +449,7 @@ The .Vt double argument is rounded and converted in the style .Sm off -.Oo \- Oc Ar d Li \&. Ar ddd Li e \\*[Pm] Ar dd +.Oo \- Oc Ar d Li \&. Ar ddd Li e \(+- Ar dd .Sm on where there is one digit before the decimal-point character @@ -525,7 +525,7 @@ The .Vt double argument is rounded and converted to hexadecimal notation in the style .Sm off -.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \\*[Pm] Oc Ar d , +.Oo \- Oc Li 0x Ar h Li \&. Ar hhhp Oo \(+- Oc Ar d , .Sm on where the number of digits after the hexadecimal-point character is equal to the precision specification. -- cgit v1.1 From 1ab3783e1a2e5231321a0fc5399736ddc70407f0 Mon Sep 17 00:00:00 2001 From: uqs Date: Thu, 13 May 2010 12:07:55 +0000 Subject: mdoc: move CAVEATS, BUGS and SECURITY CONSIDERATIONS sections to the bottom of the manpages and order them consistently. GNU groff doesn't care about the ordering, and doesn't even mention CAVEATS and SECURITY CONSIDERATIONS as common sections and where to put them. Found by: mdocml lint run Reviewed by: ru --- lib/libc/stdio/printf.3 | 142 ++++++++++++++++++++++++------------------------ 1 file changed, 71 insertions(+), 71 deletions(-) (limited to 'lib/libc/stdio/printf.3') diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 2c031f7..90a8ed8 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -709,77 +709,6 @@ char *newfmt(const char *fmt, ...) return (p); } .Ed -.Sh SECURITY CONSIDERATIONS -The -.Fn sprintf -and -.Fn vsprintf -functions are easily misused in a manner which enables malicious users -to arbitrarily change a running program's functionality through -a buffer overflow attack. -Because -.Fn sprintf -and -.Fn vsprintf -assume an infinitely long string, -callers must be careful not to overflow the actual space; -this is often hard to assure. -For safety, programmers should use the -.Fn snprintf -interface instead. -For example: -.Bd -literal -void -foo(const char *arbitrary_string, const char *and_another) -{ - char onstack[8]; - -#ifdef BAD - /* - * This first sprintf is bad behavior. Do not use sprintf! - */ - sprintf(onstack, "%s, %s", arbitrary_string, and_another); -#else - /* - * The following two lines demonstrate better use of - * snprintf(). - */ - snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, - and_another); -#endif -} -.Ed -.Pp -The -.Fn printf -and -.Fn sprintf -family of functions are also easily misused in a manner -allowing malicious users to arbitrarily change a running program's -functionality by either causing the program -to print potentially sensitive data -.Dq "left on the stack" , -or causing it to generate a memory fault or bus error -by dereferencing an invalid pointer. -.Pp -.Cm %n -can be used to write arbitrary data to potentially carefully-selected -addresses. -Programmers are therefore strongly advised to never pass untrusted strings -as the -.Fa format -argument, as an attacker can put format specifiers in the string -to mangle your stack, -leading to a possible security hole. -This holds true even if the string was built using a function like -.Fn snprintf , -as the resulting string may still contain user-supplied conversion specifiers -for later interpolation by -.Fn printf . -.Pp -Always use the proper secure idiom: -.Pp -.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" .Sh COMPATIBILITY Many application writers used the name .Va dprintf @@ -906,3 +835,74 @@ The family of functions do not correctly handle multibyte characters in the .Fa format argument. +.Sh SECURITY CONSIDERATIONS +The +.Fn sprintf +and +.Fn vsprintf +functions are easily misused in a manner which enables malicious users +to arbitrarily change a running program's functionality through +a buffer overflow attack. +Because +.Fn sprintf +and +.Fn vsprintf +assume an infinitely long string, +callers must be careful not to overflow the actual space; +this is often hard to assure. +For safety, programmers should use the +.Fn snprintf +interface instead. +For example: +.Bd -literal +void +foo(const char *arbitrary_string, const char *and_another) +{ + char onstack[8]; + +#ifdef BAD + /* + * This first sprintf is bad behavior. Do not use sprintf! + */ + sprintf(onstack, "%s, %s", arbitrary_string, and_another); +#else + /* + * The following two lines demonstrate better use of + * snprintf(). + */ + snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, + and_another); +#endif +} +.Ed +.Pp +The +.Fn printf +and +.Fn sprintf +family of functions are also easily misused in a manner +allowing malicious users to arbitrarily change a running program's +functionality by either causing the program +to print potentially sensitive data +.Dq "left on the stack" , +or causing it to generate a memory fault or bus error +by dereferencing an invalid pointer. +.Pp +.Cm %n +can be used to write arbitrary data to potentially carefully-selected +addresses. +Programmers are therefore strongly advised to never pass untrusted strings +as the +.Fa format +argument, as an attacker can put format specifiers in the string +to mangle your stack, +leading to a possible security hole. +This holds true even if the string was built using a function like +.Fn snprintf , +as the resulting string may still contain user-supplied conversion specifiers +for later interpolation by +.Fn printf . +.Pp +Always use the proper secure idiom: +.Pp +.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" -- cgit v1.1 From 76d72447281953457a8a3a319fdc80070bc5152c Mon Sep 17 00:00:00 2001 From: brucec Date: Sat, 28 Aug 2010 16:32:01 +0000 Subject: Fix incorrect usage of 'assure' and 'insure'. Approved by: rrs (mentor) --- lib/libc/stdio/printf.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/libc/stdio/printf.3') diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index 90a8ed8..a0d2613 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -849,7 +849,7 @@ and .Fn vsprintf assume an infinitely long string, callers must be careful not to overflow the actual space; -this is often hard to assure. +this is often hard to ensure. For safety, programmers should use the .Fn snprintf interface instead. -- cgit v1.1 From 7adc5f91cff836324150e37db070cf854b475e73 Mon Sep 17 00:00:00 2001 From: brucec Date: Sat, 11 Sep 2010 10:49:56 +0000 Subject: Revert changes of 'assure' to 'ensure' made in r211936. Approved by: rrs (mentor) --- lib/libc/stdio/printf.3 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/libc/stdio/printf.3') diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3 index a0d2613..90a8ed8 100644 --- a/lib/libc/stdio/printf.3 +++ b/lib/libc/stdio/printf.3 @@ -849,7 +849,7 @@ and .Fn vsprintf assume an infinitely long string, callers must be careful not to overflow the actual space; -this is often hard to ensure. +this is often hard to assure. For safety, programmers should use the .Fn snprintf interface instead. -- cgit v1.1