On 11.09.2021 20:33, Christian Weisgerber via libssh2-devel wrote: > In libssh2's example/subsystem_netconf.c, a pointer to a variable > of the wrong size (on LP64) is passed. Ouch. The patch below fixes > this and also eliminates the %n format specifier that is increasingly > discouraged: > > --- example/subsystem_netconf.c.orig > +++ example/subsystem_netconf.c > @@ -257,14 +257,14 @@ int main(int argc, char *argv[]) > /* NETCONF: https://tools.ietf.org/html/draft-ietf-netconf-ssh-06 */ > > fprintf(stderr, "Sending NETCONF client <hello>\n"); > - snprintf(buf, sizeof(buf), > + len = snprintf(buf, sizeof(buf), > "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" > "<hello>" > "<capabilities>" > "<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>" > "</capabilities>" > "</hello>\n" > - "]]>]]>\n%n", (int *)&len); > + "]]>]]>\n"); > if(-1 == netconf_write(channel, buf, len)) > goto shutdown; This is broken (with security implications). snprintf can return value larger than sizeof(buf) or -1. Same apply to %n (that is, original code was broken too). > @@ -277,12 +277,12 @@ int main(int argc, char *argv[]) > (int)len, buf); > > fprintf(stderr, "Sending NETCONF <rpc>\n"); > - snprintf(buf, sizeof(buf), > + len = snprintf(buf, sizeof(buf), > "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" > "<rpc xmlns=\"urn:ietf:params:xml:ns:netconf:base:1.0\">" > "<get-interface-information><terse/></get-interface-information>" > "</rpc>\n" > - "]]>]]>\n%n", (int *)&len); > + "]]>]]>\n"); > if(-1 == netconf_write(channel, buf, len)) > goto shutdown; > > -- libssh2-devel mailing list libssh2-devel@lists.haxx.se https://lists.haxx.se/listinfo/libssh2-devel
Re: Fix example/subsystem_netconf.c
Yuriy M. Kaminskiy via libssh2-devel Sat, 11 Sep 2021 14:12:53 -0700
- Fix example/subsystem_netconf.c Christian Weisgerber via libssh2-devel
- Re: Fix example/subsystem_netc... Yuriy M. Kaminskiy via libssh2-devel
- Re: Fix example/subsystem_netc... Peter Stuge via libssh2-devel
