Talk:Uncontrolled format string
|WikiProject Computer Security / Computing||(Rated Start-class)|
I removed four broken links to format string papers and sites. If anyone has links to valid ones again, especially from trusted referenceable sources please add them. Kimos 03:46, 7 April 2006 (UTC)
C doesn't pop
C doesn't pop the arguments. Neither the assembly written library funktions, nor user written C funktions pop the arguments. User written assembly funktions doing this are possible, but it's safe to assume anybody who knows assembly is aware of the danger of messing with the stack. Instead C acesses the arguments with a pointer.
A standard C call looks like this :
; Caller ... push last argument ... push first argument call funktion add sp,argument size ...
; Funktion funktion proc near push bp mov bp,sp ; arguments can now be acessed by [bp+adress] ... pop bp ret funktion endp
In partikular, you cannot cause trouble by passing a wrong number of arguments (what would be devastating in BASIC or Pascal). Interestingly, the Windows API, what normally uses Pascal-calls uses C-calls for Vararg funktions, for exaclty that reason. Most printf related bugs print mearly garbage. By passing many %X or %s you get a dump of the stack or strings, that is only rarely a hazard. You might get acess to sensitive data, but this requires a lot of knowledge about the programm, and apropriate data structures. The most damaging possible is, to overwrite the code at the return adress with %n, what crashes the programm, but is probably insuficient to jump to malware. --188.8.131.52 (talk) 23:48, 6 February 2015 (UTC)