 
                            Never call any formatted I/O function with a format string containing user input.
If the user can control a format string, they can write to arbitrary memory locations. The most common form of this error is in output operation. The rarely used and often forgotten %n format specification causes the number of characters written to be written to a pointer passed on the stack.
Non-Compliant Code Example
In this example, the input is outputted directly as a format string. By putting %n in the input, the user can write arbitrary values to whatever the stack happens to point to. This can frequently be leveraged to execute arbitrary code. In any case, by including other point operations (such as %s), fprintf() will interpret values on the stack as pointers. This can be used to learn secret information and almost certainly can be used to crash the program.
char input[1000]; fgets(input, sizeof(input)-1, stdin); input[sizeof(input)-1] = '\0'; fprintf(stdout, input);
Non-Compliant Code Example
In this example, the library function syslog() interprets the string msg as a format string, resulting in the same security problem as before. This is a common idiom for displaying the same message in multiple locations or when the message is difficult to build.
void check_password(char *user, char *password) {
  if (strcmpy(password(user), password) != 0) {
    char *msg = malloc(strlen(user) + 100);
    if (!msg) return;
    sprintf (msg, "Wrong password for user %s", user);
    syslog(LOG_INFO, msg);
    free(msg);
  }
}
Compliant Solution 1
This example outputs the string directly instead of building it and then outputting it.
void check_password(char *user, char *password) {
  if (strcmpy(password(user), password) \!= 0) {
    fprintf (stderr, "Wrong password for user %s", user);
  }
}
Compliant Solution 2
In this example, the message is built normally, but is then outputted as a string instead of a format string.
void check_password(char *user, char *password) {
  if (strcmpy(password(user), password) \!= 0) {
    char *msg = malloc(strlen(user) + 100);
    if (!msg) return;
    sprintf (msg, "Wrong password for user %s", user);
    fprintf (stderr, "%s", user);
    syslog(LOG_INFO, "%s", msg);
    free(msg);
  }
}
Priority: P27 Level: L1
The mismanagement of memory can lead to freeing memory multiple times or writing to already freed memory. Both of these problems can result in an attacker executing arbitrary code with the permissions of the vulnerable process. Memory management errors can also lead to resource depletion and denial-of-service attacks.
| Component | Value | 
|---|---|
| Severity | 3 (high) | 
| Likelihood | 3 (probable) | 
| Remediation cost | 3 (low) | 
References
- ISO/IEC 9899-1999 7.19.6 Formatted input/output functions
- Seacord 05 Chapter 6 Formatted Output