printf behaviour with illegal or malformed format string
Bruce Evans
bde at zeta.org.au
Tue Dec 13 04:41:40 PST 2005
On Tue, 13 Dec 2005, Poul-Henning Kamp wrote:
> In message <20051213175413.H80942 at delplex.bde.org>, Bruce Evans writes:
>
>> There is also fmtcheck(3).
>
> I didn't even know about that one, but given that there is only two
> uses in all of /src I do not feel ashamed.
I learned about it commit mail (or arch?) when Kris was sweeping for
security holes related to printf formats.
>> Extensions should rarely be needed for printf(),
>
> Actually I disagree with you on that.
>
> It was my list of "things I keep doing over and over" that convinced
> me otherwise.
Now I think they should be very rarely needed and more rarely used.
Using them mainly gives unportable code that breaks especially badly
on systems which don't support extensions.
> Here are some of the formats I miss, and which I will probably write
> extensions for so people can trivially enable them:
>
> %T print a time_t
> %lT print a struct timeval
> %llT print a struct timespec
> %I print an IP#
> %lI print an IPv6#
> %H Hexdump
> %V stringvis a string
> %M Metric (like the "engineering" format on HP calculators)
> %H "Human" (Tera,Giga,Mega,Kilo{bits,bytes})
I think these belong in specialized applications or libraries. %T is
already handled better by strftime/gmtime/localtime. It has lots of
subformats and delicate conversion issues. A generic %T couldn't
reasonably support much more than "%[#0- +,]*.*T". If a generic version
were implemented as a function in libc, then
printf("%T", asprintf_time_t(tt)) wouldn't be much harder to write than
printf("%T", tt), but storage management for it would be harder. Maybe
you really want to write cout << tt :-).
>>>> I'm leaning towards doing what phkmalloc has migrated to over time:
>>>> Make a variable which can select between "normal/paranoia" and force
>>>> it to paranoia for (uid==0 || gid==0 || setuid || setgid).
>>>>
>>>> If the variable is set, a bogus format string will result in abort(2).
>>
>> This sometimes breaks defined behaviour.
>
> It does ? I didn't think there were defined behaviour for bogus
> format strings ?
I mean aborting instead of returning NULL for failing malloc()s breaks
defined behaviour.
Bruce
More information about the freebsd-arch
mailing list