------art_208478_13637000.1178005825021
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On 5/1/07, Haoqi Haoqi <axgle / 126.com> wrote:
>
> here is my simple test:
> where is my mistake??
>
> #include "ruby.h"
> #include "stdio.h"
> static VALUE
> tests(){
>    char *s1
 ";
>     char *s2b";
>   char *buf;
>     sprintf(buf,"%s after %s",s1,s2);
>     printf(buf);
>   return Qnil;
> }
> void Init_hello(){
> rb_define_global_function("tests",tests,0);
> }


You have to be very careful when working with c.  The code above has a
couple of classic security vulnerabilities.

Since you are not dealing with user-controlled buffers, it's not that big of
a deal, but here's a couple tips:

1) in general, don't use sprintf.  use snprintf().

char * s1  a ";
char * s2  b ";
char buf[1024];
snprintf(buf,sizeof(buf),"%s after %s",s1,s2);

2) always use a string literal as the format string to functions which take
them ( printf() , snprintf() , etc... ):

 printf("%s",buf);

If you're interested in what can be done if these errors are made, check out
these papers:

http://doc.bughunter.net/buffer-overflow/smash-stack.html
http://doc.bughunter.net/format-string/exploit-fs.html

-Adam

------art_208478_13637000.1178005825021--