NetBSD Problem Report #50609
From www@NetBSD.org Sat Jan 2 14:02:31 2016
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.NetBSD.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.netbsd.org", Issuer "Postmaster NetBSD.org" (verified OK))
by mollari.NetBSD.org (Postfix) with ESMTPS id A1F637ABC0
for <gnats-bugs@gnats.NetBSD.org>; Sat, 2 Jan 2016 14:02:31 +0000 (UTC)
Message-Id: <20160102140230.C0CB47ACBF@mollari.NetBSD.org>
Date: Sat, 2 Jan 2016 14:02:30 +0000 (UTC)
From: dcb314@hotmail.com
Reply-To: dcb314@hotmail.com
To: gnats-bugs@NetBSD.org
Subject: lib/libusbhid/usage.c: 3 * missing ranges in scanf
X-Send-Pr-Version: www-1.0
>Number: 50609
>Category: lib
>Synopsis: lib/libusbhid/usage.c: 3 * missing ranges in scanf
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Jan 02 14:05:01 +0000 2016
>Last-Modified: Tue May 31 02:15:00 +0000 2016
>Originator: David Binderman
>Release: cvs dated 20160102
>Organization:
>Environment:
>Description:
1.
[lib/libusbhid/usage.c:97]: (warning) scanf without field width limits can crash with huge input data.
if (sscanf(line, " * %[^\n]", name) == 1)
but
char line[100], name[100], *p, *n;
2.
[lib/libusbhid/usage.c:99]: (warning) scanf without field width limits can crash with huge input data.
else if (sscanf(line, " 0x%x %[^\n]", &no, name) != 2 &&
3.
[lib/libusbhid/usage.c:100]: (warning) scanf without field width limits can crash with huge input data.
sscanf(line, " %d %[^\n]", &no, name) != 2)
>How-To-Repeat:
>Fix:
>Audit-Trail:
From: David Holland <dholland-bugs@netbsd.org>
To: gnats-bugs@NetBSD.org
Cc:
Subject: Re: lib/50609: lib/libusbhid/usage.c: 3 * missing ranges in scanf
Date: Tue, 31 May 2016 02:12:36 +0000
On Sat, Jan 02, 2016 at 02:05:01PM +0000, dcb314@hotmail.com wrote:
> [lib/libusbhid/usage.c:97]: (warning) scanf without field width limits can crash with huge input data.
>
> if (sscanf(line, " * %[^\n]", name) == 1)
>
> but
>
> char line[100], name[100], *p, *n;
Right, it can't output more into name[] than is in line[] so it can't
overflow... this seems like a false positive, though the code's
certainly untidy.
--
David A. Holland
dholland@netbsd.org
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2014
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.