Re: git: e17fede8ff46 - main - Fix too small sscanf output buffers in kbdmap
Date: Sun, 06 Feb 2022 15:41:31 UTC
On Sun, Feb 06, 2022 at 03:26:00PM +0000, Dimitry Andric wrote: > The branch main has been updated by dim: > > URL: https://cgit.FreeBSD.org/src/commit/?id=e17fede8ff4629b5ff640ed660940b04c70da0b6 > > commit e17fede8ff4629b5ff640ed660940b04c70da0b6 > Author: Dimitry Andric <dim@FreeBSD.org> > AuthorDate: 2022-02-06 15:25:11 +0000 > Commit: Dimitry Andric <dim@FreeBSD.org> > CommitDate: 2022-02-06 15:25:25 +0000 > > Fix too small sscanf output buffers in kbdmap > > This fixes the following warnings from clang 14: > > usr.sbin/kbdmap/kbdmap.c:241:16: error: 'sscanf' may overflow; destination buffer in argument 5 has size 20, but the corresponding specifier may require size 21 [-Werror,-Wfortify-source] > &a, &b, buf); > ^ > usr.sbin/kbdmap/kbdmap.c:615:8: error: 'sscanf' may overflow; destination buffer in argument 3 has size 64, but the corresponding specifier may require size 65 [-Werror,-Wfortify-source] > keym, lng, desc); > ^ > usr.sbin/kbdmap/kbdmap.c:615:14: error: 'sscanf' may overflow; destination buffer in argument 4 has size 64, but the corresponding specifier may require size 65 [-Werror,-Wfortify-source] > keym, lng, desc); > ^ > usr.sbin/kbdmap/kbdmap.c:615:19: error: 'sscanf' may overflow; destination buffer in argument 5 has size 256, but the corresponding specifier may require size 257 [-Werror,-Wfortify-source] > keym, lng, desc); > ^ > > In each case, the buffer being sscanf'd into is one byte too small. > > MFC after: 3 days > --- > usr.sbin/kbdmap/kbdmap.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/usr.sbin/kbdmap/kbdmap.c b/usr.sbin/kbdmap/kbdmap.c > index a11956b682ee..0702c1e66e94 100644 > --- a/usr.sbin/kbdmap/kbdmap.c > +++ b/usr.sbin/kbdmap/kbdmap.c > @@ -225,7 +225,7 @@ get_extension(const char *name) > static char * > get_font(void) > { > - char line[256], buf[20]; > + char line[256], buf[21]; > char *fnt = NULL; > > FILE *fp = fopen(sysconfig, "r"); > @@ -566,7 +566,7 @@ menu_read(void) > char *p; > int mark, num_keymaps, items, i; > char buffer[256], filename[PATH_MAX]; > - char keym[64], lng[64], desc[256]; > + char keym[65], lng[65], desc[257]; > char dialect[64], lang_abk[64]; > struct keymap *km; > struct keymap **km_sorted; > Hey Dimitry, Would commits like this and d310bf3867b4168e57365196c3a31797c0538097 normally cause SAs? Off-by-one bugs are typically considered security bugs. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc