propolice and syslog-ng

Bennett Todd bet at
Wed Sep 29 08:53:19 PDT 2004

2004-09-29T15:17:09 Robert Connolly:
> Sep 29 11:07:48 SecondFloor fail: stack overflow in function %s%m
> The "%s%m" isn't being expanded. My code is this:
> const char message[] = "stack overflow in function %s";
> ...
> syslog(LOG_CRIT, message, "%s%m");
> I'm going to try again without the quotes, but it looks like %s doesn't expand 
> to anything.

Whew, that's a relief!

The second arg of syslog is the format string, the remaining args
are the values to interpolate into the format's %-tagged fields.

A popular bug, very fashionable, is to log user-provided data by

	syslog(LOG_whatever, userdata);

which lets attackers blow up the program by including cleverly bad
%-expandos in the data that gets logged; the correct fix is

	syslog(LOG_whatever, "%s", userdata);

since that puts one programmer-controlled expando in position for
the format processor to see it, and the user data is no longer in a
position to blow up the logging process.

If syslog (or printf) %-expando processing were recursive, honoring
%whatever in the data strings that are interpolated with %s
recursively, the only way to safely log data that originated with an
attacker (e.g., Message-IDs being syslogged by an MTA) would be by
stripping anything that might be an expando out of them first, which
means you couldn't log accurately and safely unless your stripper
perfectly understood every aspect of the expando processor.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <>

More information about the hlfs-dev mailing list