New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of scanf() operation that permits buffer overflows (IN EXAMPLES) #7293
Comments
For the developers who used these examples as a reference to their work MUST change their sources to avoid this vulnerability. |
The synctime.c case has a line immediately before the sscanf to avoid an
overflow (the comment says "Can prevent buffer overflow") however, it's flawed
in that it relies on undefined behaviour (how variables are assigned on the
stack). That's probably not a security issue in real life, but ought to be
fixed.
The second one doesn't look like an issue to me at all. The input buffer size
is limited to less than max_len in the read, which means that the result of
sscanf will always be smaller than the buffer.
|
The comment asks the question "Can prevent buffer overflow to TmpStr1 & 2?" as it spans in two lines. |
That's what I was referring to. Can you send a PR to fix it?
|
I'm not sure of the PR right now. |
Reported-by: Jishan Shaikh Fixes #7293
The scanf() family's %s operation, without a limit specification, permits buffer overflows (CWE-120, CWE-20).
LABEL: Bug
SEVERITY: Major
SOLUTION: Specify a limit to %s, or use a different input function.
COMMON WEAKNESS ENUMERATION INDEX: CWE-120, CWE-20
Instances found in the repo:
The text was updated successfully, but these errors were encountered: