1

The answer of unwind to my previous question leaded me another question. I used to ask question about 

const char *INTERFACE = "wlan0"; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), INTERFACE);

unwind replied as

It's worth warning for since it can be a security risk, if the string argument is changable at runtime it's possible that a % can be "snuck in", which will lead to problems. Therefore it's better if the formatting string is hardcoded to "do what you want".

I wonder how is it possible to change the string argument on the runtime?

EDIT: to be clearer, could anyone give me an example how to change the string argument on the runtime?

Improve this question

1 Answer 1

Reset to default
3

unwind is no doubt referring to the INTERFACE variable.

If, for some reason you ask the user which interface they should use (using something like fscanf() into a writable buffer) and they enter "wlan0 %s", all hell may break loose because you then have the situation where you're effectively executing:

snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "wlan0 %s");

with no extra argument corresponding to the %s in your format string.

The way to protect against this is to use:

snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", INTERFACE);

so that someone usurping INTERFACE will have no effect on that statement other than to change what's put into ifr.ifr_name.

In your particular case:

#include <stdio.h> #include <net/if.h> #include <string.h> int main(int argc,char *argv[]){ const char *INTERFACE = "wlan0"; struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), INTERFACE); return 0; }

you remain totally in control of INTERFACE so there's no danger but the compiler is not doing that level of analysis - it just knows that a non-literal format string is a risk.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thank you for the clarification. Could you correct me if I misunderstand you, the only way to change the string argument, INTERFACE, on the run time is that only if the program ask the user to enter a string value, otherwise it is not possible to do some hacker tricks then change the argument on the runtime
@sven, there are many attack vectors, user input is one of them. There may be ways to attach to the process and modify its memory while it's running, or modify the strings in the executable file before it runs, or use input buffer overflow into a totally unrelated variable to affect INTERFACE. The possibilities are certainly more than you (or I) can think of alone :-)
@paxdiablo: If someone can attack to the process and modify memory while the process is running then the process is already owned. That is not an attack vector.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.