What is the use of the %n format specifier in C?
Most of these answers explain what %n does (which is to print nothing and to write the number of characters printed thus far to an int variable), but so far no one has really given an example of what use it has. Here is one:
int n;printf("%s: %nFoo\n", "hello", &n);printf("%*sBar\n", n, "");will print:
hello: Foo Barwith Foo and Bar aligned. (It's trivial to do that without using %n for this particular example, and in general one always could break up that first printf call:
int n = printf("%s: ", "hello");printf("Foo\n");printf("%*sBar\n", n, "");Whether the slightly added convenience is worth using something esoteric like %n (and possibly introducing errors) is open to debate.)
Nothing printed. The argument must be a pointer to a signed int, where the number of characters written so far is stored.
#include <stdio.h>int main(){ int val; printf("blah %n blah\n", &val); printf("val = %d\n", val); return 0;}The previous code prints:
blah blahval = 5
I haven't really seen many practical real world uses of the %n specifier, but I remember that it was used in oldschool printf vulnerabilities with a format string attack quite a while back.
Something that went like this
void authorizeUser( char * username, char * password){ ...code here setting authorized to false... printf(username); if ( authorized ) { giveControl(username); }}where a malicious user could take advantage of the username parameter getting passed into printf as the format string and use a combination of %d, %c or w/e to go through the call stack and then modify the variable authorized to a true value.
Yeah it's an esoteric use, but always useful to know when writing a daemon to avoid security holes? :D