summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2000-07-16 22:44:59 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2000-07-16 22:44:59 +0000
commit0a24e02b6c0cddae26902400e476fbc2a416c9b1 (patch)
treea5af2c642326a36b6b45d368e0a6687369286c7d
parent8352d6ce819ef1ddee08b0f601c6fb179b10cf92 (diff)
Stronger caveat wrt stack smashing via % escapes. Each man page
carries the same caveat...
-rw-r--r--lib/libc/gen/setproctitle.320
-rw-r--r--lib/libc/gen/syslog.320
-rw-r--r--lib/libc/stdio/printf.319
3 files changed, 48 insertions, 11 deletions
diff --git a/lib/libc/gen/setproctitle.3 b/lib/libc/gen/setproctitle.3
index a8eabe1a12e..fd0f5c22a6f 100644
--- a/lib/libc/gen/setproctitle.3
+++ b/lib/libc/gen/setproctitle.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: setproctitle.3,v 1.9 2000/07/07 00:13:56 aaron Exp $
+.\" $OpenBSD: setproctitle.3,v 1.10 2000/07/16 22:44:58 millert Exp $
.\"
.\" Copyright (c) 1994, 1995 Christopher G. Demetriou
.\" All rights reserved.
@@ -74,10 +74,20 @@ The
function first appeared in
.Nx 0.9a .
.Sh CAVEATS
-Never pass a user-supplied string directly as a format without using %s,
-as an attacker can put format specifiers in that string to mangle your
-stack.
-Be sure to use the proper secure idiom:
+It is important to never pass a string with user-supplied data as a
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn setproctitle .
+.Pp
+Be sure to always use the proper secure idiom:
.Bd -literal -offset indent
setproctitle("%s", string);
.Ed
diff --git a/lib/libc/gen/syslog.3 b/lib/libc/gen/syslog.3
index 3dc53dd111c..f7e48e952f1 100644
--- a/lib/libc/gen/syslog.3
+++ b/lib/libc/gen/syslog.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: syslog.3,v 1.7 1999/07/09 13:35:19 aaron Exp $
+.\" $OpenBSD: syslog.3,v 1.8 2000/07/16 22:44:58 millert Exp $
.\"
.\" Copyright (c) 1985, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -269,3 +269,21 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m");
These
functions appeared in
.Bx 4.2 .
+.Sh CAVEATS
+It is important to never pass a string with user-supplied data as a
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn syslog .
+.Pp
+Be sure to always use the proper secure idiom:
+.Bd -literal -offset indent
+syslog("%s", string);
+.Ed
diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3
index 6a9f4f34942..4225c6fd77b 100644
--- a/lib/libc/stdio/printf.3
+++ b/lib/libc/stdio/printf.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: printf.3,v 1.29 2000/07/07 00:09:10 aaron Exp $
+.\" $OpenBSD: printf.3,v 1.30 2000/07/16 22:44:57 millert Exp $
.\"
.\" Copyright (c) 1990, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -686,10 +686,19 @@ systems and the
.Fn asprintf
interface is not portable.
.Pp
-Never print a user-supplied string directly as a format without using
-.Cm %s ,
-as an attacker can put format specifiers in that string to mangle
-your stack.
+It is important to never pass a string with user-supplied data as a
+format without using %s.
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if you have built the string
+.Dq by hand
+using a function like
+.Fn snprintf ,
+as the attacker can escape the percent sign
+.Pq Sq %
+for later interpolation by
+.Fn printf .
+.Pp
Be sure to use the proper secure idiom:
.Bd -literal -offset indent
snprintf(buffer, sizeof(buffer), "%s", string);