- Fix snprintf() supports the n-specifier,

  reported by X41 D-Sec.

diff --git a/compat/snprintf.c b/compat/snprintf.c
index 97cd7061f5c9feb2a2e5b6e7be2f73e2e9647cc6..bab873e30793a68f012f392aa8457fe2d243c5c6 100644 (file)
--- a/compat/snprintf.c
+++ b/compat/snprintf.c
@@ -658,7 +658,7 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
                 * are not their own functions. */
 
                /* printout designation:
-                * conversion specifier: x, d, u, s, c, n, m, p
+                * conversion specifier: x, d, u, s, c, m, p
                 * flags: # not supported
                 *        0 zeropad (on the left)
                 *        - left adjust (right by default)
@@ -798,7 +798,10 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
                                minw, minus);
                        break;
                case 'n':
-                       *va_arg(arg, int*) = ret;
+                       /* unsupported to harden against format string
+                        * exploitation,
+                        * handled like an unknown format specifier. */
+                       /* *va_arg(arg, int*) = ret; */
                        break;
                case 'm':
                        print_str(&at, &left, &ret, strerror(errno),

diff --git a/doc/Changelog b/doc/Changelog
index 36490b094b9caedb250c9d8a3a1d32fd83f476cc..d6f33069c712747ec1cbe57cd1ac126d2b0c3c48 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -22,6 +22,8 @@
        - Fix Hang in sldns_wire2str_pkt_scan(),
          reported by X41 D-Sec.
          This further lowers the max to 256.
+       - Fix snprintf() supports the n-specifier,
+         reported by X41 D-Sec.
 
 2 December 2019: Wouter
        - Merge pull request #122 from he32: In tcp_callback_writer(),