NetBSD Problem Report #50609

From www@NetBSD.org  Sat Jan  2 14:02:31 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
	by mollari.NetBSD.org (Postfix) with ESMTPS id A1F637ABC0
	for <gnats-bugs@gnats.NetBSD.org>; Sat,  2 Jan 2016 14:02:31 +0000 (UTC)
Message-Id: <20160102140230.C0CB47ACBF@mollari.NetBSD.org>
Date: Sat,  2 Jan 2016 14:02:30 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: lib/libusbhid/usage.c: 3 * missing ranges in scanf
X-Send-Pr-Version: www-1.0

>Number:         50609
>Category:       lib
>Synopsis:       lib/libusbhid/usage.c: 3 * missing ranges in scanf
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Jan 02 14:05:01 +0000 2016
>Last-Modified:  Tue May 31 02:15:00 +0000 2016
>Originator:     David Binderman
>Release:        cvs dated 20160102
>Organization:
>Environment:
>Description:
1.

[lib/libusbhid/usage.c:97]: (warning) scanf without field width limits can crash with huge input data.

       if (sscanf(line, " * %[^\n]", name) == 1)

but

    char line[100], name[100], *p, *n;

2.

[lib/libusbhid/usage.c:99]: (warning) scanf without field width limits can crash with huge input data.

        else if (sscanf(line, " 0x%x %[^\n]", &no, name) != 2 &&

3.

[lib/libusbhid/usage.c:100]: (warning) scanf without field width limits can crash with huge input data.

           sscanf(line, " %d %[^\n]", &no, name) != 2)

>How-To-Repeat:

>Fix:

>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: lib/50609: lib/libusbhid/usage.c: 3 * missing ranges in scanf
Date: Tue, 31 May 2016 02:12:36 +0000

 On Sat, Jan 02, 2016 at 02:05:01PM +0000, dcb314@hotmail.com wrote:
  > [lib/libusbhid/usage.c:97]: (warning) scanf without field width limits can crash with huge input data.
  > 
  >        if (sscanf(line, " * %[^\n]", name) == 1)
  > 
  > but
  > 
  >     char line[100], name[100], *p, *n;

 Right, it can't output more into name[] than is in line[] so it can't
 overflow... this seems like a false positive, though the code's
 certainly untidy.

 -- 
 David A. Holland
 dholland@netbsd.org
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.