Subject: Re: proposal: disable *printf %n specifier in libc in NetBSD 1.5
To: Chris G. Demetriou <>
From: Greywolf <>
List: tech-userlevel
Date: 09/11/2000 23:22:39
On 11 Sep 2000, Chris G. Demetriou wrote:

# Bill Sommerfeld <> writes:
# > %n allows a error which would otherwise allow for a *read* of an
# > arbitrary address (and likely program-terminating core dump) into one
# > which allows arbitrary writes into arbitrary locations, allowing
# > complete subversion of program behavior.
# an error fundamentally caused by inadequate checking in the program.
# ...
# how about the other problems caused by bogus input?
# "I can't write programs correctly, and the library takes case of this
# case for me, it should make the rest work right too!!!"
# It's a stupid argument for a programmer to make, but the answer in
# _all_ cases should be "WRITE YOUR PROGRAM CORRECTLY, or if you must,
# try disabling some more dangerous library features by doing ...," if
# the alternative is to break portable, standards-conforming programs.


*THANK* you.  There is NO excuse for shoddy programming if you want
something to work.  Learn how to do it correctly, or don't do it.

"It is left as an exercise for the reader that there may be more than one
 correct way to achieve a desired result. 8^)"
[suggestion #1:  don't use *s*printf (conditions apply to this statement).]

I mean, here's an extreme example which most dinosaurs (actual or osmotic)
will understand:

"I have this program that worked all the time until I migrated it onto
a Sun.  Memory location zero should be referable and contain zero,
shouldn't it?"

[see TNHD: vaxocentrism]

We've all been around long enough for this one.  I think we can still
spare some brain cells and write correct code.

# cgd

BSD: My Computer Works!