Talk:Uncontrolled format string

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.

Broken links[edit]

I removed four broken links to format string papers and sites. If anyone has links to valid ones again, especially from trusted referenceable sources please add them. Kimos 03:46, 7 April 2006 (UTC)

C doesn't pop[edit]

C doesn't pop the arguments. Neither the assembly written library funktions, nor user written C funktions pop the arguments. User written assembly funktions doing this are possible, but it's safe to assume anybody who knows assembly is aware of the danger of messing with the stack. Instead C acesses the arguments with a pointer.

A standard C call looks like this :

; Caller
push last argument
push first argument
call funktion
add sp,argument size
; Funktion
funktion proc near
push bp
mov bp,sp ; arguments can now be acessed by [bp+adress]
pop bp
funktion endp 

In partikular, you cannot cause trouble by passing a wrong number of arguments (what would be devastating in BASIC or Pascal). Interestingly, the Windows API, what normally uses Pascal-calls uses C-calls for Vararg funktions, for exaclty that reason. Most printf related bugs print mearly garbage. By passing many %X or %s you get a dump of the stack or strings, that is only rarely a hazard. You might get acess to sensitive data, but this requires a lot of knowledge about the programm, and apropriate data structures. The most damaging possible is, to overwrite the code at the return adress with %n, what crashes the programm, but is probably insuficient to jump to malware. -- (talk) 23:48, 6 February 2015 (UTC)