From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <musl-return-20715-ml=inbox.vuxu.org@lists.openwall.com>
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H4,
	RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4
Received: from second.openwall.net (second.openwall.net [193.110.157.125])
	by inbox.vuxu.org (Postfix) with SMTP id F208C2223E
	for <ml@inbox.vuxu.org>; Sun, 24 Mar 2024 18:46:23 +0100 (CET)
Received: (qmail 15715 invoked by uid 550); 24 Mar 2024 17:41:40 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Reply-To: musl@lists.openwall.com
Received: (qmail 15683 invoked from network); 24 Mar 2024 17:41:39 -0000
Date: Sun, 24 Mar 2024 13:46:29 -0400
From: Rich Felker <dalias@aerifal.cx>
To: Maks Mishin <maks.mishinfz@gmail.com>
Cc: musl@lists.openwall.com
Message-ID: <20240324174629.GA32430@brightrain.aerifal.cx>
References: <20240324165154.22480-1-maks.mishinFZ@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20240324165154.22480-1-maks.mishinFZ@gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [musl] Re: [PATCH] sprintf: Replace call vsprintf to vsnprintf

On Sun, Mar 24, 2024 at 07:51:54PM +0300, Maks Mishin wrote:
> Use of vulnerable function 'vsprintf' at sprintf.c:9.
> This function is unsafe, use vsnprintf instead.
> 
> Found bu RASU JSC.
> 
> Signed-off-by: Maks Mishin <maks.mishinFZ@gmail.com>
> ---
>  src/stdio/sprintf.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/stdio/sprintf.c b/src/stdio/sprintf.c
> index 9dff524c..e6b2a411 100644
> --- a/src/stdio/sprintf.c
> +++ b/src/stdio/sprintf.c
> @@ -6,7 +6,7 @@ int sprintf(char *restrict s, const char *restrict fmt, ...)
>  	int ret;
>  	va_list ap;
>  	va_start(ap, fmt);
> -	ret = vsprintf(s, fmt, ap);
> +	ret = vsnprintf(s, sizeof s, fmt, ap);
>  	va_end(ap);
>  	return ret;
>  }
> -- 
> 2.30.2

This patch is clearly wrong. It passes the size of a pointer instead
of the size of a buffer.

Moreover, this is the actual implementation of sprintf, which does not
have access to the buffer size.

Please (1) send these mails to the list, not in private, and (2) don't
send patches that are just formulatic changes based on a static
analysis tool. *Every single one* so far has been wrong.

Rich