Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure function vsprintf may cause write-overflow in function Server_debug #222

Closed
Daybreak2019 opened this issue May 27, 2021 · 3 comments

Comments

@Daybreak2019
Copy link

Code snippet

Server_start_rec_internal(Server *self, char *filename)
{
       .................
       Server_debug(self, "Recording filename path = %s\n", filename);   ----> filename comes from external module, the length is indeterminate
        if (! (self->recfile = sf_open(filename, SFM_WRITE, &self->recinfo)))
        {
            Server_error(self, "Not able to open output file %s.\n", filename);  ----> filename comes from external module, the length is indeterminate

            Server_debug(self, "%s\n", sf_strerror(self->recfile));
            return -1;
        }
        .................
}

Server_debug(Server *self, char * format, ...)
{
    if (self->verbosity & 8)
    {
        char buffer[256];
        va_list args;
        va_start (args, format);
        vsprintf (buffer, format, args);    -----> Variable parameters may lead to write overflow in buffer
        va_end (args);
        PySys_WriteStdout("Pyo debug: %s", buffer);
    }
}

Description

Function: Server_debug
File: servermodule.c
Call-path: recstart (Python) -> Server_start_rec -> Server_start_rec_internal -> Server_debug
WarningType: Write-overflow. Our analysis tool reported a warning at vsprintf in Server_debug. As buffer is a fixed size stack variable, when the debug mode is open, vsprintf may cause write overflow with no boundary check especially when the inputs depended on external modules (e.g., Python).
Also seen in Details

@Daybreak2019
Copy link
Author

Anyone can help confirm this issue? thanks.

@belangeo
Copy link
Owner

I'll take a look as soon as I get a chance. Thanks for reporting.

belangeo added a commit that referenced this issue Jun 3, 2021
@belangeo
Copy link
Owner

belangeo commented Jun 3, 2021

Fixed!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants