Gotchas: Difference between revisions
m
→printf()
Puppydrum64 (talk | contribs) m (→printf()) |
Puppydrum64 (talk | contribs) m (→printf()) |
||
Line 229:
The first function every C programmer learns (besides <code>main</code>), <code>printf</code> can be exploited in a similar fashion as <code>gets()</code>, but only if the programmer is irresponsible. <code>printf</code> can theoretically take any number of arguments; however there is no CPU that can actually support variadic functions in hardware (in the sense that the CPU knows how many arguments are passed into it without cheating, e.g. using a variable that holds the number of arguments as in <code>int argc, char** argv[]</code>).
The ability for <code>printf()</code> to take any number of arguments was pulled off with a dirty trick: the format string. Every time a <code>%</code> is encountered in the format string, <code>printf()</code> will accomplish the substitution using the next function argument, which depending on the calling convention starts off using registers and then pulls the rest from the stack. This isn't a problem as long as you <i><b>never let the user write the format string.</b></i> If the format string has more unescaped <code>"%"</code>s than there are arguments, <code>printf()</code> will read from the stack and assume whatever is there are the "missing" arguments. This lets a malicious user see the program's function call history which can be useful in figuring out other ways of exploiting the program.
<syntaxhighlight lang="C">int main()
| |||