C Formatted Output Functions
Vulnerabilities, Attacks, and Mitigation |
Prof. David Bernstein |
Computer Science Department |
bernstdh@jmu.edu |
printf()
:
printf()
uses the number of conversion specifications
in the format string to determine the number of actual parameters
printf(user_data, total)
printf("%p");
(where "%p" is the pointer specifier)
va_start()
uses the last fixed parameter
(i.e., the format string) for initializationva_arg()
increments the pointer and returns
an address on the stackprintf("%s", p);
p
and continuing until a '\0'
is encounteredprintf("%s");
va_arg()
returns the value on the stack
below the address of the fixed parameter'\0'
) will be printedprintf("\xdc\xf5\x42\x01%x%x%x%s", 1, 2, 3);
\xdc
\xf5
\x42
(B
)\x01
00000001
00000002
00000003
0x0142f5dc
up until the first
'\0'
printf("%s%s%s%s%s%s%s%s%s%s%s%s");
SIGSEGV
signal or abnormal termination)
after the last '\0'
character%n
Vulnerability%n
conversion specifier writes the number of
characters the address provided as an argumentprintf("JMU%n", (int *)& i);
i
will contain the value 3tainted
) if you can't
completely exclude it%n
-Wformat
checks the number of parameters-Wformat-nonliteral
checks the format strings that
are not literals