| ||
The first step is never pass user input directly to a formatting function, and also be sure to do this at every level of handling formatted output. As an additional note, the formatting functions have significant overhead. Look at the source for _output if youre interestedit might be convenient to write:
fprintf(STDOUT, buf);
The preceding line of code isnt just dangerous, but it also consumes a lot of extra CPU cycles.
The second step to take is to ensure that the format strings your application uses are only read from trusted places, and that the paths to the strings cannot be controlled by the attacker. If youre writing code for UNIX and Linux, following the example of the BSD variants and ignoring the NLSPATH variable, which can be used to specify the file used for localized messages, may provide some defense in depth.
There isnt much more to it than this:
printf("%s", user_input);