From 2de21960267bf0a1c33d2a13c07402ee757d8161 Mon Sep 17 00:00:00 2001
From: Eric Melville <eric@FreeBSD.org>
Date: Fri, 25 May 2001 20:42:40 +0000
Subject: [PATCH] Add warnings about trusting user-supplied data.

Reviewed by:	ru
Approved by:	murray
Obtained from:	OpenBSD
---
 lib/libc/gen/setproctitle.3 | 17 +++++++++++++++--
 lib/libc/gen/syslog.3       | 14 ++++++++++++++
 lib/libc/stdio/printf.3     | 14 ++++++++++++++
 3 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/lib/libc/gen/setproctitle.3 b/lib/libc/gen/setproctitle.3
index eed8f810af9b..15538d52f825 100644
--- a/lib/libc/gen/setproctitle.3
+++ b/lib/libc/gen/setproctitle.3
@@ -25,8 +25,7 @@
 .Dt SETPROCTITLE 3
 .Sh NAME
 .Nm setproctitle
-.Nd set the process title for
-.Xr ps 1
+.Nd set process title
 .Sh SYNOPSIS
 .Fd #include <sys/types.h>
 .Fd #include <unistd.h>
@@ -99,3 +98,17 @@ stole the idea from the
 .Sy "Sendmail 8.7.3"
 source code by
 .An Eric Allman Aq eric@sendmail.org .
+.Sh BUGS
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack, 
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn setproctitle .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl setproctitle("%s", string);
diff --git a/lib/libc/gen/syslog.3 b/lib/libc/gen/syslog.3
index a2763234f4fb..7513d6018191 100644
--- a/lib/libc/gen/syslog.3
+++ b/lib/libc/gen/syslog.3
@@ -280,3 +280,17 @@ syslog(LOG_INFO|LOG_LOCAL2, "foobar error: %m");
 These
 functions appeared in
 .Bx 4.2 .
+.Sh BUGS
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack, 
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn syslog .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl syslog("%s", string);
diff --git a/lib/libc/stdio/printf.3 b/lib/libc/stdio/printf.3
index 30b02a653300..590c1c0bfddb 100644
--- a/lib/libc/stdio/printf.3
+++ b/lib/libc/stdio/printf.3
@@ -664,3 +664,17 @@ For safety, programmers should use the
 .Fn snprintf
 interface instead.
 Unfortunately, this interface is not portable.
+.Pp
+Never pass a string with user-supplied data as a format without using
+.Ql %s .
+An attacker can put format specifiers in the string to mangle your stack,
+leading to a possible security hole.
+This holds true even if the string was built using a function like
+.Fn snprintf ,
+as the resulting string may still contain user-supplied conversion specifiers
+for later interpolation by
+.Fn printf .
+.Pp
+Always use the proper secure idiom:
+.Pp
+.Dl snprintf(buffer, sizeof(buffer), "%s", string);