On 5/1/07, Haoqi H. [email protected] wrote:
char *buf;
sprintf(buf,"%s after %s",s1,s2);
printf(buf);
return Qnil;
}
void Init_hello(){
rb_define_global_function(“tests”,tests,0);
}
You have to be very careful when working with c. The code above has a
couple of classic security vulnerabilities.
Since you are not dealing with user-controlled buffers, it’s not that
big of
a deal, but here’s a couple tips:
- in general, don’t use sprintf. use snprintf().
char * s1 = "a ";
char * s2 = “b “;
char buf[1024];
snprintf(buf,sizeof(buf),”%s after %s”,s1,s2);
- always use a string literal as the format string to functions which
take
them ( printf() , snprintf() , etc… ):
printf("%s",buf);
If you’re interested in what can be done if these errors are made, check
out
these papers:
http://doc.bughunter.net/buffer-overflow/smash-stack.html
http://doc.bughunter.net/format-string/exploit-fs.html
-Adam