printf.3 (207940) | printf.3 (208027) |
---|---|
1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" This code is derived from software contributed to Berkeley by 5.\" Chris Torek and the American National Standards Committee X3, 6.\" on Information Processing Systems. 7.\" 8.\" Redistribution and use in source and binary forms, with or without --- 16 unchanged lines hidden (view full) --- 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)printf.3 8.1 (Berkeley) 6/4/93 | 1.\" Copyright (c) 1990, 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" This code is derived from software contributed to Berkeley by 5.\" Chris Torek and the American National Standards Committee X3, 6.\" on Information Processing Systems. 7.\" 8.\" Redistribution and use in source and binary forms, with or without --- 16 unchanged lines hidden (view full) --- 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" @(#)printf.3 8.1 (Berkeley) 6/4/93 |
33.\" $FreeBSD: head/lib/libc/stdio/printf.3 207940 2010-05-11 23:08:15Z uqs $ | 33.\" $FreeBSD: head/lib/libc/stdio/printf.3 208027 2010-05-13 12:07:55Z uqs $ |
34.\" 35.Dd December 2, 2009 36.Dt PRINTF 3 37.Os 38.Sh NAME 39.Nm printf , fprintf , sprintf , snprintf , asprintf , dprintf , 40.Nm vprintf , vfprintf, vsprintf , vsnprintf , vasprintf, vdprintf 41.Nd formatted output conversion --- 662 unchanged lines hidden (view full) --- 704 if ((p = malloc(128)) == NULL) 705 return (NULL); 706 va_start(ap, fmt); 707 (void) vsnprintf(p, 128, fmt, ap); 708 va_end(ap); 709 return (p); 710} 711.Ed | 34.\" 35.Dd December 2, 2009 36.Dt PRINTF 3 37.Os 38.Sh NAME 39.Nm printf , fprintf , sprintf , snprintf , asprintf , dprintf , 40.Nm vprintf , vfprintf, vsprintf , vsnprintf , vasprintf, vdprintf 41.Nd formatted output conversion --- 662 unchanged lines hidden (view full) --- 704 if ((p = malloc(128)) == NULL) 705 return (NULL); 706 va_start(ap, fmt); 707 (void) vsnprintf(p, 128, fmt, ap); 708 va_end(ap); 709 return (p); 710} 711.Ed |
712.Sh SECURITY CONSIDERATIONS 713The 714.Fn sprintf 715and 716.Fn vsprintf 717functions are easily misused in a manner which enables malicious users 718to arbitrarily change a running program's functionality through 719a buffer overflow attack. 720Because 721.Fn sprintf 722and 723.Fn vsprintf 724assume an infinitely long string, 725callers must be careful not to overflow the actual space; 726this is often hard to assure. 727For safety, programmers should use the 728.Fn snprintf 729interface instead. 730For example: 731.Bd -literal 732void 733foo(const char *arbitrary_string, const char *and_another) 734{ 735 char onstack[8]; 736 737#ifdef BAD 738 /* 739 * This first sprintf is bad behavior. Do not use sprintf! 740 */ 741 sprintf(onstack, "%s, %s", arbitrary_string, and_another); 742#else 743 /* 744 * The following two lines demonstrate better use of 745 * snprintf(). 746 */ 747 snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, 748 and_another); 749#endif 750} 751.Ed 752.Pp 753The 754.Fn printf 755and 756.Fn sprintf 757family of functions are also easily misused in a manner 758allowing malicious users to arbitrarily change a running program's 759functionality by either causing the program 760to print potentially sensitive data 761.Dq "left on the stack" , 762or causing it to generate a memory fault or bus error 763by dereferencing an invalid pointer. 764.Pp 765.Cm %n 766can be used to write arbitrary data to potentially carefully-selected 767addresses. 768Programmers are therefore strongly advised to never pass untrusted strings 769as the 770.Fa format 771argument, as an attacker can put format specifiers in the string 772to mangle your stack, 773leading to a possible security hole. 774This holds true even if the string was built using a function like 775.Fn snprintf , 776as the resulting string may still contain user-supplied conversion specifiers 777for later interpolation by 778.Fn printf . 779.Pp 780Always use the proper secure idiom: 781.Pp 782.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" | |
783.Sh COMPATIBILITY 784Many application writers used the name 785.Va dprintf 786before the 787.Fn dprintf 788function was introduced in 789.St -p1003.1 , 790so a prototype is not provided by default in order to avoid --- 110 unchanged lines hidden (view full) --- 901functions were added in 902.Fx 8.0 . 903.Sh BUGS 904The 905.Nm 906family of functions do not correctly handle multibyte characters in the 907.Fa format 908argument. | 712.Sh COMPATIBILITY 713Many application writers used the name 714.Va dprintf 715before the 716.Fn dprintf 717function was introduced in 718.St -p1003.1 , 719so a prototype is not provided by default in order to avoid --- 110 unchanged lines hidden (view full) --- 830functions were added in 831.Fx 8.0 . 832.Sh BUGS 833The 834.Nm 835family of functions do not correctly handle multibyte characters in the 836.Fa format 837argument. |
838.Sh SECURITY CONSIDERATIONS 839The 840.Fn sprintf 841and 842.Fn vsprintf 843functions are easily misused in a manner which enables malicious users 844to arbitrarily change a running program's functionality through 845a buffer overflow attack. 846Because 847.Fn sprintf 848and 849.Fn vsprintf 850assume an infinitely long string, 851callers must be careful not to overflow the actual space; 852this is often hard to assure. 853For safety, programmers should use the 854.Fn snprintf 855interface instead. 856For example: 857.Bd -literal 858void 859foo(const char *arbitrary_string, const char *and_another) 860{ 861 char onstack[8]; 862 863#ifdef BAD 864 /* 865 * This first sprintf is bad behavior. Do not use sprintf! 866 */ 867 sprintf(onstack, "%s, %s", arbitrary_string, and_another); 868#else 869 /* 870 * The following two lines demonstrate better use of 871 * snprintf(). 872 */ 873 snprintf(onstack, sizeof(onstack), "%s, %s", arbitrary_string, 874 and_another); 875#endif 876} 877.Ed 878.Pp 879The 880.Fn printf 881and 882.Fn sprintf 883family of functions are also easily misused in a manner 884allowing malicious users to arbitrarily change a running program's 885functionality by either causing the program 886to print potentially sensitive data 887.Dq "left on the stack" , 888or causing it to generate a memory fault or bus error 889by dereferencing an invalid pointer. 890.Pp 891.Cm %n 892can be used to write arbitrary data to potentially carefully-selected 893addresses. 894Programmers are therefore strongly advised to never pass untrusted strings 895as the 896.Fa format 897argument, as an attacker can put format specifiers in the string 898to mangle your stack, 899leading to a possible security hole. 900This holds true even if the string was built using a function like 901.Fn snprintf , 902as the resulting string may still contain user-supplied conversion specifiers 903for later interpolation by 904.Fn printf . 905.Pp 906Always use the proper secure idiom: 907.Pp 908.Dl "snprintf(buffer, sizeof(buffer), \*q%s\*q, string);" |
|