From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 3 Dec 2019 15:29:18 +0000 (+0100)
Subject: - Fix snprintf() supports the n-specifier,
X-Git-Tag: release-1.9.6rc1~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ce611951391f4c27321f58b409c3d811d10e978;p=thirdparty%2Funbound.git

- Fix snprintf() supports the n-specifier,
  reported by X41 D-Sec.
---

diff --git a/compat/snprintf.c b/compat/snprintf.c
index 97cd7061f..bab873e30 100644
--- a/compat/snprintf.c
+++ b/compat/snprintf.c
@@ -658,7 +658,7 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
 		 * are not their own functions. */
 
 		/* printout designation:
-		 * conversion specifier: x, d, u, s, c, n, m, p
+		 * conversion specifier: x, d, u, s, c, m, p
 		 * flags: # not supported
 		 *        0 zeropad (on the left)
 		 *	  - left adjust (right by default)
@@ -798,7 +798,10 @@ int vsnprintf(char* str, size_t size, const char* format, va_list arg)
 				minw, minus);
 			break;
 		case 'n':
-			*va_arg(arg, int*) = ret;
+			/* unsupported to harden against format string
+			 * exploitation,
+			 * handled like an unknown format specifier. */
+			/* *va_arg(arg, int*) = ret; */
 			break;
 		case 'm':
 			print_str(&at, &left, &ret, strerror(errno),
diff --git a/doc/Changelog b/doc/Changelog
index 36490b094..d6f33069c 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -22,6 +22,8 @@
 	- Fix Hang in sldns_wire2str_pkt_scan(),
 	  reported by X41 D-Sec.
 	  This further lowers the max to 256.
+	- Fix snprintf() supports the n-specifier,
+	  reported by X41 D-Sec.
 
 2 December 2019: Wouter
 	- Merge pull request #122 from he32: In tcp_callback_writer(),