I don't really get, what you are trying to accomplish here, but the vulnerability comes from letting the userhacker supply a format string. He can then supply %n which causes the printf-function-family to write to memory (the number of bytes written so far).
int answer = 42;
printf("Hello %nworld\n", &answer);
// "Hello " is 6 bytes long
printf(
"The answer to the ultimate question of life, "
"the universe and everything is: %i\n"
, answer
);
Will print 6 as answer, instead of 42.
Answer from Bodo Thiesen on Stack OverflowVideos
Your code is fine.
The issue is that if you pass a string that is user controlled as a printf format string, security bugs can arise.
For instance, printf(userName);
Where userName is supplied by the user, a user can pass "%s", and get your function to start accessing data at a random address on the stack, which could result in a crash. printf will try to pop additional parameters off the stack, resulting in a stack corruption. Denial of service attack like this is probably the best case, information can be disclosed by getting printf to dump out values on the stack and there are even ways to get printf style functions to modify the return address on the stack.
Since your strings are not user controlled, it is safe to ignore this message. The typical fix is to replace the printf example I gave with printf("%s", userName);, which would not appear to help in your case because the const strings appear to contain format strings.
Wikipedia has more on format string vulnerabilities here: http://en.wikipedia.org/wiki/Format_string_vulnerabilities
Idea is that value of testStrings[testID] can be changed somehow to include extra format specifiers.
Because snprintf() has no possibility to check whether number of parameters match the number of format specifiers it will just take next address from stack to use as value for next format specifier and weird things can happen then.
It is known as format string attack.
What happens in these 2 cases ?
Case 1
char buf[3];
vsprint(buf, "%s", args);
Case 2
char buf[3];
vsnprint(buf, sizeof buf, "%s", args);
In case 1, if the string you're formatting has a length of 3 or greater, you have a buffer overrun, vsprintf might write to memory past the storage of the buf array, which is undefined behavior, possibly causing havoc/security concerns/crashes/etc.
In case 2. vsnprintf knows how big the buffer that will contain the result is, and it will make sure not to go past that(instead truncating the result to fit within buf ).
It's because vsnprintf has an additional size_t count parameter that vsprintf (and other non-n *sprintf methods) does not have. The implementation uses this to ensure that the data it writes to your buffer will not run off the end.
Data that runs off the end of a buffer can result in data corruption, or when maliciously exploited can be used as a buffer overrun attack.