Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: None <>
From: Chris G. Demetriou <>
List: tech-userlevel
Date: 09/11/2000 14:07:56
Bill Sommerfeld <> writes:
> I'm attempting to reduce the amount of damage which can be done by an
> erroneous program of this form.  To say that all the erroneous
> programs should be fixed is "nice", and I don't have any objection to
> this, but the fundamental reality is that there's a lot of buggy code
> out there, and knocking an entire class of bugs from "let attacker
> execute arbitrary code" to a mere "simple denial of service" is, IMHO,
> a worthwhile change.

I think that is a worthwhile goal.  Whether or not it's a worthwhile
change depends on what you have to break to get there, and it's not
immediately clear to me that breaking a feature which has been
standard in C for over 10 years (and who knows how long in other
implementations) is worthwhile in this case, when it's obvious it's
not a true solution to the problem.

I suppose that, as long as there's still a way to make unmodified,
conforming C source code continue to work (i.e., you can link in a
special library, and that special library is used when you request
"truly standard C" -- like -lposix for POSIX), this may be acceptable.
(Certainly, w.r.t. running conforming C programs, requiring them to be
modified to enable the feature seems out of the question, so your
proposal of adding a fn call to do that _isn't_ the right thing.)

There's some question as to what to do re: backward compatibility,
though.  (I.e. do printf() et al get renamed?  This is a
backward-incompatible change to their definition, but that seems
... overkill.  On the other hand, the change can break
currently-working binaries.)