- Fix snprintf() supports the n-specifier,

reported by X41 D-Sec.
2024-09-21 06:37:08 +00:00 · 2019-12-03 16:29:18 +01:00 · 2019-12-03 16:29:18 +01:00 · 9ce6119513
commit 9ce6119513
parent 534eac6ae5
2 changed files with 7 additions and 2 deletions
--- a/compat/snprintf.c
+++ b/compat/snprintf.c
@ -658,7 +658,7 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
 		 * are not their own functions. */

 		/* printout designation:
-		 * conversion specifier: x, d, u, s, c, n, m, p
+		 * conversion specifier: x, d, u, s, c, m, p
 		 * flags: # not supported
 		 *        0 zeropad (on the left)
 		 *	  - left adjust (right by default)
@ -798,7 +798,10 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
 				minw, minus);
 			break;
 		case 'n':
-			*va_arg(arg, int*) = ret;
+			/* unsupported to harden against format string
+			 * exploitation,
+			 * handled like an unknown format specifier. */
+			/* *va_arg(arg, int*) = ret; */
 			break;
 		case 'm':
 			print_str(&at, &left, &ret, strerror(errno),
--- a/doc/Changelog
+++ b/doc/Changelog
@ -22,6 +22,8 @@
 	- Fix Hang in sldns_wire2str_pkt_scan(),
 	  reported by X41 D-Sec.
 	  This further lowers the max to 256.
+	- Fix snprintf() supports the n-specifier,
+	  reported by X41 D-Sec.

 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),