printf behaviour with illegal or malformed format string

Bruce Evans bde at zeta.org.au
Tue Dec 13 04:41:40 PST 2005 

On Tue, 13 Dec 2005, Poul-Henning Kamp wrote:

> In message <20051213175413.H80942 at delplex.bde.org>, Bruce Evans writes:
>
>> There is also fmtcheck(3).
>
> I didn't even know about that one, but given that there is only two
> uses in all of /src I do not feel ashamed.

I learned about it commit mail (or arch?) when Kris was sweeping for
security holes related to printf formats.

>> Extensions should rarely be needed for printf(),
>
> Actually I disagree with you on that.
>
> It was my list of "things I keep doing over and over" that convinced
> me otherwise.

Now I think they should be very rarely needed and more rarely used.
Using them mainly gives unportable code that breaks especially badly
on systems which don't support extensions.

> Here are some of the formats I miss, and which I will probably write
> extensions for so people can trivially enable them:
>
> 	%T	print a time_t
> 	%lT	print a struct timeval
> 	%llT	print a struct timespec
> 	%I	print an IP#
> 	%lI	print an IPv6#
> 	%H	Hexdump
> 	%V	stringvis a string
> 	%M	Metric (like the "engineering" format on HP calculators)
> 	%H	"Human" (Tera,Giga,Mega,Kilo{bits,bytes})

I think these belong in specialized applications or libraries.  %T is
already handled better by strftime/gmtime/localtime.  It has lots of
subformats and delicate conversion issues.  A generic %T couldn't
reasonably support much more than "%[#0- +,]*.*T".  If a generic version
were implemented as a function in libc, then
printf("%T", asprintf_time_t(tt)) wouldn't be much harder to write than
printf("%T", tt), but storage management for it would be harder.  Maybe
you really want to write cout << tt :-).

>>>> I'm leaning towards doing what phkmalloc has migrated to over time:
>>>> Make a variable which can select between "normal/paranoia" and force
>>>> it to paranoia for (uid==0 || gid==0 || setuid || setgid).
>>>>
>>>> If the variable is set, a bogus format string will result in abort(2).
>>
>> This sometimes breaks defined behaviour.
>
> It does ?  I didn't think there were defined behaviour for bogus
> format strings ?

I mean aborting instead of returning NULL for failing malloc()s breaks
defined behaviour.

Bruce

More information about the freebsd-arch mailing list