Insecure function vsprintf may cause write-overflow in function Server_debug

Question

Insecure function vsprintf may cause write-overflow in function Server_debug

awen-li opened this issue 3 years ago · comments

Code snippet

Server_start_rec_internal(Server *self, char *filename)
{
       .................
       Server_debug(self, "Recording filename path = %s\n", filename);   ----> filename comes from external module, the length is indeterminate
        if (! (self->recfile = sf_open(filename, SFM_WRITE, &self->recinfo)))
        {
            Server_error(self, "Not able to open output file %s.\n", filename);  ----> filename comes from external module, the length is indeterminate

            Server_debug(self, "%s\n", sf_strerror(self->recfile));
            return -1;
        }
        .................
}

Server_debug(Server *self, char * format, ...)
{
    if (self->verbosity & 8)
    {
        char buffer[256];
        va_list args;
        va_start (args, format);
        vsprintf (buffer, format, args);    -----> Variable parameters may lead to write overflow in buffer
        va_end (args);
        PySys_WriteStdout("Pyo debug: %s", buffer);
    }
}

Description

Function: Server_debug
File: servermodule.c
Call-path: recstart (Python) -> Server_start_rec -> Server_start_rec_internal -> Server_debug
WarningType: Write-overflow. Our analysis tool reported a warning at vsprintf in Server_debug. As buffer is a fixed size stack variable, when the debug mode is open, vsprintf may cause write overflow with no boundary check especially when the inputs depended on external modules (e.g., Python).
Also seen in Details

Olivier Bélanger commented 3 years ago

Fixed!

Awen · Answer 1 · Tue Jun 01 2021 03:34:43 GMT+0800 (China Standard Time)

Anyone can help confirm this issue? thanks.

Olivier Bélanger · Answer 2 · Tue Jun 01 2021 03:43:39 GMT+0800 (China Standard Time)

I'll take a look as soon as I get a chance. Thanks for reporting.