Include information on the dangers of passing a user-supplied string as
a format string. This will later on be changed to a reference to the FreeBSD Security Architecture after it has been committed. PR: docs/39320 Sposnored by: DARPA, NAI Labs
This commit is contained in:
Chris Costello
parent
a3cce19f7d
commit
7bc7869122
@ -700,6 +700,27 @@ a buffer overflow attack.
|
|||||||
the FSA
|
the FSA
|
||||||
and
|
and
|
||||||
.Sx EXAMPLES . )
|
.Sx EXAMPLES . )
|
||||||
|
.Pp
|
||||||
|
.\" XXX - rewrite after FSA
|
||||||
|
The
|
||||||
|
.Fn printf
|
||||||
|
and
|
||||||
|
.Fn vprintf
|
||||||
|
functions are also easily misused in a manner allowing malicious users
|
||||||
|
to arbitrarily change a running program's functionality by either
|
||||||
|
causing the program to print potentially sensitive data
|
||||||
|
.Dq "left on the stack,"
|
||||||
|
or causing it to generate a memory fault or bus error
|
||||||
|
by dereferencing an invalid pointer.
|
||||||
|
.Pp
|
||||||
|
Never, under any circumstances pass a string obtained from the network,
|
||||||
|
a file, or any user as a format string to a
|
||||||
|
.Fn printf
|
||||||
|
or
|
||||||
|
.Fn sprintf
|
||||||
|
function.
|
||||||
|
.Xc
|
||||||
|
.Ec
|
||||||
.Sh SEE ALSO
|
.Sh SEE ALSO
|
||||||
.Xr printf 1 ,
|
.Xr printf 1 ,
|
||||||
.Xr scanf 3 ,
|
.Xr scanf 3 ,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user