This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] vfprint: validate nargs and argument-based offsets
- From: "Joseph S. Myers" <joseph at codesourcery dot com>
- To: Tomas Hoger <thoger at redhat dot com>
- Cc: Kees Cook <kees at outflux dot net>, Andreas Jaeger <aj at suse dot com>, "Ryan S. Arnold" <ryan dot arnold at gmail dot com>, libc-alpha at sourceware dot org, Paul Eggert <eggert at cs dot ucla dot edu>, Roland McGrath <roland at hack dot frob dot com>, Andreas Schwab <schwab at linux-m68k dot org>
- Date: Mon, 5 Mar 2012 17:55:37 +0000 (UTC)
- Subject: Re: [PATCH] vfprint: validate nargs and argument-based offsets
- References: <20120302185346.GE3990@outflux.net> <20120305180923.74a20a8f@redhat.com>
On Mon, 5 Mar 2012, Tomas Hoger wrote:
> A commenter in Red Hat bugzilla proposed different fix:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=794766#c8
>
> The easiest fix would have been to restrict "nargs" to NL_ARGMAX.
>
> http://www.opengroup.org/onlinepubs/9699919799/basedefs/limits.h.html#tag_13_23_03_07
>
> which has the benefit of avoiding possibly large heap allocation in the
> bad case. Kees, have you considered such approach?
The GNU Coding Standards say to avoid arbitrary limits, so it's correct
that the number of such arguments should be limited only by available
memory. (Note that printf requires that there are no gaps in the numbers
in the format string, so specifying argument 1000000 with a format string
that doesn't specify all smaller numbers as well means the format is
invalid, for example. For scanf, there isn't this requirement; there may
be gaps in the numbers as long as pointers were passed for the unused
arguments.)
--
Joseph S. Myers
joseph@codesourcery.com