SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 62

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 63

changes.mady.by.user Pamela Curtis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
An attacker who can fully or partially control the contents of a format string can crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location and consequently execute arbitrary code with the permissions of the vulnerable process \[[Seacord 0505a|AA. C References#Seacord 05]\].

...

Code Block
bgColor#FFCCCC
void incorrect_password(char const *user) {
  /* user names are restricted to 256 characters or less */
  static char const *msg_format 
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  fprintf(stderr, msg);
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#ccccff
void incorrect_password(char const *user) {
  /* user names are restricted to 256 characters or less */
  static char const *msg_format 
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  fputs(msg, stderr);
  free(msg);
  msg = NULL;
}

...

Code Block
bgColor#FFCCCC
void incorrect_password(char const *user) {
  /* user names are restricted to 256 characters or less */
  static char const *msg_format 
    = "%s cannot be authenticated.\n";
  size_t len = strlen(user) + sizeof(msg_format);
  char *msg = (char *) malloc(len);
  if (!msg) {
    /* handle error condition */
  }
  snprintf(msg, len, msg_format, user);
  syslog(LOG_INFO, msg);
  free(msg);
  msg = NULL;
}

...

Wiki Markup
Two recent examples of format-string vulnerabilities resulting from a violation of this rule include [Ettercap|http://ettercap.sourceforge.net/history.php] and [Samba|http://samba.org/samba/security/CVE-2007-0454.html]. In Ettercap v.NG-0.7.2, the ncurses user interface suffers from a format string defect. The {{curses_msg()}} function in {{ec_curses.c}} calls {{wdg_scroll_print()}}, which takes a format string and its parameters and passes it to {{vw_printw()}}. The {{curses_msg()}} function uses one of its parameters as the format string. This input can include user data, allowing for a format string vulnerability \[[VU#286468|AA. C References#VU286468]\]. The Samba AFS ACL mapping VFS plug-in fails to properly sanitize user-controlled file names that are used in a format specifier supplied to {{snprintf()}}. This [security flaw|BB. Definitions#security flaw] becomes exploitable when a user is able tocan write to a share that uses Samba's {{afsacl.so}} library for setting Windows NT access control lists on files residing on an AFS file system.

...