Bugtraq mailing list archives
Re: StackGuard with ... Re: [Paper] Format bugs.
From: Ken Alverson <t-kenalv () MICROSOFT COM>
Date: Mon, 24 Jul 2000 20:43:37 -0700
What you really want is to have typesafe varargs, or no varargs at all. Typesafe varargs are not enforcable nor cleanly implementable in C without major changes to the language. Without typesafe varargs, a safer way would be to implement output without the use of varargs, however this will cause your code to be longer than the equivalent printf - given appropriate print function overloads, the following code would be much safer: char buf[LEN]=""; char* insert=buf; char* end=buf+LEN; print(&insert,end,"Hello, "); print(&insert,end,username); print(&insert,end,", you have visited "); print(&insert,end,visits); print(&insert,end," times!"); If you wanted formatting, you could simply make an appropriate print overload, that could take the same parameters that would go into a printf format string. IE: nprintf(buf,LEN,"%4.3g",myFloat); would become print(&insert,end,myFloat,4,3); Print could even be implemented in terms of safety checked printf's, if so inclined. Such type safety does cause longer code, which is why "<<" was overloaded for C++ streams to allow this same form of typesafe output without a huge code bloat. The best you could do easily in C would be to throw the buffer pointer, insert pointer, and end of buffer pointer into a struct and pass that instead of spelling it out in each call (and maybe renaming print to something shorter since it will be called so often). This would also minimize chance for programmer error, passing the wrong pointers and whatnot. But then you might as well use C++. Ken -----Original Message----- From: Greg A. Woods [mailto:woods () WEIRD COM] Sent: Monday, July 24, 2000 11:32 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: StackGuard with ... Re: [Paper] Format bugs. [ On Monday, July 24, 2000 at 13:16:32 (+0300), Valentin Nechayev wrote: ]
Subject: Re: StackGuard with ... Re: [Paper] Format bugs. It is IMHO really needed to include something similar to GCC's __attribute((format(*printf))) to C standard. All another aspects can be handled with exiting features.
That only helps if you can somehow force the programmer to always hard-code the format string at compile time. Currently this is impossible (I suppose the "format" attribute could do this), and indeed undesirable to many no doubt too! A true fix requires something that would change the language definition in a more fundamental way. I think the best idea would be to revise the calling conventions used for functions with variable numbers of arguments (or perhaps all functions) and defining a new varargs/stdards API (complete with error handling) that can be made a part of the language definition such that a function can discern, at run time, the number of, and type of, parameters it was called with. (Optionally the compiler could include code that verified the arguments of all functions at runtime too!) However as Theo says, that's never [or not likely] going to happen, at least not for the language commonly called `C'. It's already too late for C9X, I think; and it obviously means yet another invention is added to a language that was already pretty well standardardised in 1980 execpt for the fact that some people refused to honour its inventor's ideas faithfully. -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods () acm org> <robohack!woods> Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
Current thread:
- Re: StackGuard with ... Re: [Paper] Format bugs. Morten Welinder (Jul 24)
- Re: StackGuard with ... Re: [Paper] Format bugs. Robert Bihlmeyer (Jul 25)
- <Possible follow-ups>
- Re: StackGuard with ... Re: [Paper] Format bugs. Ken Alverson (Jul 25)