Jim Meyering wrote: > It is the key that gives format-abusers so much latitude > in choosing what value to write where. Without that > feature, coming up with a real exploit is much harder.
Without %n, one can still use format strings like %.10000000f%.10000000f%.10000000f%.10000000f%.10000000f%.10000000f to conduct denial-of-service attacks. > > 2. a user-provided string that is used as a format string, > > So why don't people think more about how to fix #2? > > Because removing such vulnerabilities at the source is much more > labor-intensive. It doesn't need to be at the source level. If, for example, gcc was changed to emit a certain signature (4 bytes) in front of every read-only format string, and vfprintf would verify this signature by looking at fmt[-4..-1], then only the few applications which willfully construct format strings at runtime would have to change their source code. Bruno
