More Document Number: N2834
Submitter: Aaron Peter Bachmann
Submission Date: 2021-10-07
Deprecate the %n format specifier in C2X

Summary

%n is the target of attacks trying to compromise software, but provides little utility. Thus, this paper proposes deprecating or obsoleting the %n format specifier.

Prior work

Discussion

Arguments in favor of the proposal:

Argument against the proposal:

Proposed wording

The changes given here are relative to N2596 [4].

After

7.21.6.1

8

append the sentence in green.

The argument shall be a pointer to signed integer whose type is specified by the length modifiers, if any, for the conversion specification, or shall be int if no length modifiers are specified for the conversion specification. The number of characters written to the output stream so far by this call to fprintf is stored into the integer object pointed to by the argument. No argument is converted, but one is consumed. If the conversion specification includes any flags, a field width, or a precision, the behavior is undefined. The use of n as format specifier is a deprecated feature.

Aternatively use:

The use of n as format specifier is an obsolescent feature.

Acknowledgements

I want to thank Thomas Kemmer and Reinhard Kopka for helpful comments.

References

[1] https://android.googlesource.com/platform/bionic/+/HEAD/docs/status.md

[2] https://docs.microsoft.com/en-us/cpp/c-runtime-library/format-specification-syntax-printf-and-wprintf-functions?view=msvc-160

[3] https://github.com/ensc/dietlibc/blob/master/README.security 

[4] N2596 2020/12/12 Meneide, C2x Working Draft