On 2022-12-16 09:03:39 -0700, Theo de Raadt wrote: > Vincent Lefevre <vinc...@vinc17.net> wrote: > > > BTW, if developers use an untrusted format string, then sprintf() > > is unsafe too (possible buffer overflow), and at some point, > > printf() too. > > what are you trying to say?
According to https://www.open-std.org/jtc1/sc22/wg14/www/docs/n2834.htm it has been proposed to deprecate %n mainly because: If the format argument of a printf-style-function originates from an unverified source an attacker may be able to write arbitrary values to the stack. But I'm saying that from this point of view, sprintf() is unsafe too, actually much more unsafe. Something like %n injection in the format argument can easily be detected (actually any injection of a format specifier). For instance, if someone writes printf (buf); assuming that the string buf will be output, where buf has untrusted contents, then if buf contains %n, the number of arguments will be incorrect, so that this can be detected at run time (ditto if printf has arguments that correspond to a trusted part of buf). However, with sprintf (s, buf); (rather than using snprintf), even if the number of arguments is checked to be correct, there could still be a buffer overflow with an untrusted buf. It's a pity that N2834 doesn't give real-world examples of insecure use of %n, in particular ones that could not be possible to detect at run time. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)