Re: git: e17fede8ff46 - main - Fix too small sscanf output buffers in kbdmap

From: Shawn Webb <shawn.webb_at_hardenedbsd.org>
Date: Sun, 06 Feb 2022 15:41:31 UTC
On Sun, Feb 06, 2022 at 03:26:00PM +0000, Dimitry Andric wrote:
> The branch main has been updated by dim:
> 
> URL: https://cgit.FreeBSD.org/src/commit/?id=e17fede8ff4629b5ff640ed660940b04c70da0b6
> 
> commit e17fede8ff4629b5ff640ed660940b04c70da0b6
> Author:     Dimitry Andric <dim@FreeBSD.org>
> AuthorDate: 2022-02-06 15:25:11 +0000
> Commit:     Dimitry Andric <dim@FreeBSD.org>
> CommitDate: 2022-02-06 15:25:25 +0000
> 
>     Fix too small sscanf output buffers in kbdmap
>     
>     This fixes the following warnings from clang 14:
>     
>     usr.sbin/kbdmap/kbdmap.c:241:16: error: 'sscanf' may overflow; destination buffer in argument 5 has size 20, but the corresponding specifier may require size 21 [-Werror,-Wfortify-source]
>                                 &a, &b, buf);
>                                         ^
>     usr.sbin/kbdmap/kbdmap.c:615:8: error: 'sscanf' may overflow; destination buffer in argument 3 has size 64, but the corresponding specifier may require size 65 [-Werror,-Wfortify-source]
>                                 keym, lng, desc);
>                                 ^
>     usr.sbin/kbdmap/kbdmap.c:615:14: error: 'sscanf' may overflow; destination buffer in argument 4 has size 64, but the corresponding specifier may require size 65 [-Werror,-Wfortify-source]
>                                 keym, lng, desc);
>                                       ^
>     usr.sbin/kbdmap/kbdmap.c:615:19: error: 'sscanf' may overflow; destination buffer in argument 5 has size 256, but the corresponding specifier may require size 257 [-Werror,-Wfortify-source]
>                                 keym, lng, desc);
>                                            ^
>     
>     In each case, the buffer being sscanf'd into is one byte too small.
>     
>     MFC after:       3 days
> ---
>  usr.sbin/kbdmap/kbdmap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/usr.sbin/kbdmap/kbdmap.c b/usr.sbin/kbdmap/kbdmap.c
> index a11956b682ee..0702c1e66e94 100644
> --- a/usr.sbin/kbdmap/kbdmap.c
> +++ b/usr.sbin/kbdmap/kbdmap.c
> @@ -225,7 +225,7 @@ get_extension(const char *name)
>  static char *
>  get_font(void)
>  {
> -	char line[256], buf[20];
> +	char line[256], buf[21];
>  	char *fnt = NULL;
>  
>  	FILE *fp = fopen(sysconfig, "r");
> @@ -566,7 +566,7 @@ menu_read(void)
>  	char *p;
>  	int mark, num_keymaps, items, i;
>  	char buffer[256], filename[PATH_MAX];
> -	char keym[64], lng[64], desc[256];
> +	char keym[65], lng[65], desc[257];
>  	char dialect[64], lang_abk[64];
>  	struct keymap *km;
>  	struct keymap **km_sorted;
> 

Hey Dimitry,

Would commits like this and d310bf3867b4168e57365196c3a31797c0538097
normally cause SAs? Off-by-one bugs are typically considered security
bugs.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc