Re: StackGuard with ... Re: [Paper] Format bugs.

[Ken Alverson <t-kenalv () MICROSOFT COM>]

What you really want is to have typesafe varargs, or no varargs at all.
Typesafe varargs are not enforcable nor cleanly implementable in C without
major changes to the language.  Without typesafe varargs, a safer way would
be to implement output without the use of varargs, however this will cause
your code to be longer than the equivalent printf - given appropriate print
function overloads, the following code would be much safer:

char buf[LEN]="";
char* insert=buf;
char* end=buf+LEN;
print(&insert,end,"Hello, ");
print(&insert,end,username);
print(&insert,end,", you have visited ");
print(&insert,end,visits);
print(&insert,end," times!");

If you wanted formatting, you could simply make an appropriate print
overload, that could take the same parameters that would go into a printf
format string.  IE:

nprintf(buf,LEN,"%4.3g",myFloat);

would become

print(&insert,end,myFloat,4,3);

Print could even be implemented in terms of safety checked printf's, if so
inclined.  Such type safety does cause longer code, which is why "<<" was
overloaded for C++ streams to allow this same form of typesafe output
without a huge code bloat.  The best you could do easily in C would be to
throw the buffer pointer, insert pointer, and end of buffer pointer into a
struct and pass that instead of spelling it out in each call (and maybe
renaming print to something shorter since it will be called so often).  This
would also minimize chance for programmer error, passing the wrong pointers
and whatnot.

But then you might as well use C++.

Ken


-----Original Message-----
From: Greg A. Woods [mailto:woods () WEIRD COM]
Sent: Monday, July 24, 2000 11:32 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: StackGuard with ... Re: [Paper] Format bugs.


[ On Monday, July 24, 2000 at 13:16:32 (+0300), Valentin Nechayev wrote: ]
> Subject: Re: StackGuard with ... Re: [Paper] Format bugs.
>
> It is IMHO really needed to include something similar to GCC's
> __attribute((format(*printf))) to C standard. All another aspects can be
> handled with exiting features.

That only helps if you can somehow force the programmer to always
hard-code the format string at compile time.  Currently this is
impossible (I suppose the "format" attribute could do this), and indeed
undesirable to many no doubt too!

A true fix requires something that would change the language definition
in a more fundamental way.  I think the best idea would be to revise the
calling conventions used for functions with variable numbers of
arguments (or perhaps all functions) and defining a new varargs/stdards
API (complete with error handling) that can be made a part of the
language definition such that a function can discern, at run time, the
number of, and type of, parameters it was called with.  (Optionally the
compiler could include code that verified the arguments of all functions
at runtime too!)

However as Theo says, that's never [or not likely] going to happen, at
least not for the language commonly called `C'.
It's already too late for C9X, I think; and it obviously means yet
another invention is added to a language that was already pretty well
standardardised in 1980 execpt for the fact that some people refused to
honour its inventor's ideas faithfully.

--
                                                        Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods () acm org>      <robohack!woods>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>