Not a bug: IIL Advisory: Format String bug in Null Webmail (0.6.3)

From: Andrew Church (achurch@achurch.org)
Date: 09/25/02 

From: achurch@achurch.org (Andrew Church)
To: downbload@hotmail.com
Date: Thu, 26 Sep 2002 01:28:16 JST

     As I was severely bitten by this issue lately, this caught my
interest, but the "bug" reported in this so-called advisory is in fact not
a bug at all. Observe:

>int wmprintf(const char *format, ...) /* <--- INTERESTING FUNCTION */
>{
> char buffer[1024];
> va_list ap;
>
> va_start(ap, format);
> vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING

     This does pass a (potentially) non-constant string as the format
string to vsnprintf(), but (at least from the examples provided) wmprintf()
is always called with a constant format string, so this isn't a problem.

> va_end(ap);
> send(wmsocket, buffer, strlen(buffer), 0);

     If this were a *printf() call, then we'd have problems, but all it's
doing is writing the buffer to the socket--no formatting interpretation
involved.

     As an example, let's expand one of the calls, assuming the %s
parameter is "NASTY %sTRING":

>wmprintf("USER %s\r\n", wmusername);
--> wmprintf("USER %s\r\n", "NASTY %sTRING");

>int wmprintf(const char *format, ...)
>{
--> format == "USER %s\r\n"
> char buffer[1024];
--> buffer == undefined
> va_list ap;
--> ap == undefined
>
> va_start(ap, format);
--> ap == &"NASTY %sTRING"
> vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING
--> buffer == "USER NASTY %sTRING\r\n"
> va_end(ap);
--> ap == undefined
> send(wmsocket, buffer, strlen(buffer), 0);
--> send(wmsocket, "USER NASTY %sTRING\r\n", 20, 0);
>// logdata (">> %s", buffer);
--> logdata(">> %s", "USER NASTY %sTRING");
> return 0;
>}

     The author is even careful enough to use logdata("%s",buffer) instead
of logdata(buffer), which is the careless mistake I made and had pointed
out to me.

     Nothing to see here, move along.

>======[ Example
>
>Can't test this bug!!!
>If I'm wrong about this format string bug in Null Webmail, I'm very sorry.

  --Andrew Church
    achurch@achurch.org
    http://achurch.org/

Relevant Pages

  • Re: STL speed
    ... I knew that printf gets right all sorts of subtle ... > format string and then have sprintf interpret it and then do the output ... Perhaps you ran afoul of the regrettable bug we had in that version. ...
    (comp.lang.cpp)
  • a bug in datestr? it seems so unlikely
    ... but it seems like i'm encountering a bug in the datestr function. ... if i make a simple change to the date format string: ... Java VM Version: Java 1.6.0_01 with Sun Microsystems Inc. Java HotSpot64-Bit Server VM mixed mode ...
    (comp.soft-sys.matlab)
  • Re: bug in formatted output?
    ... > Here's what I found in the java.sun.com bug database. ... > Release Fixed tiger-rc ... > Format string: %9.2f ... > public class Test { ...
    (comp.lang.java.programmer)
  • Re: bug in formatted output?
    ... > Here's what I found in the java.sun.com bug database. ... > Release Fixed tiger-rc ... > Format string: %9.2f ... > public class Test { ...
    (comp.lang.java.programmer)
  • format string bug ?!?
    ... I think I have discovered a format string bug... ... Delphi help says nothing about format specificers encapsulated in to be ...
    (alt.comp.lang.borland-delphi)