| Summary: | Possible string truncations in sshconnect2.c | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Colin Watson <cjwatson> | ||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | normal | CC: | dtucker | ||||
| Priority: | P5 | ||||||
| Version: | -current | ||||||
| Hardware: | Other | ||||||
| OS: | Linux | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 2698 | ||||||
| Attachments: |
|
||||||
Looks reasonable, sending upstream (but with slightly larger buffers). Committed upstream, it'll be synced into portable in due course. Thanks. Close all resolved bugs after release of OpenSSH 7.7. |
Created attachment 3041 [details] Increase prompt buffer sizes to fit text sshconnect2.c: In function ‘userauth_passwd’: sshconnect2.c:909:42: warning: ‘%.128s’ directive output may be truncated writing up to 128 bytes into a region of size between 119 and 149 [-Wformat-truncation=] snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 15 and 173 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c: In function ‘input_userauth_passwd_changereq’: sshconnect2.c:960:19: warning: ‘%.128s’ directive output may be truncated writing up to 128 bytes into a region of size between 113 and 143 [-Wformat-truncation=] "Enter %.30s@%.128s's old password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 25 and 183 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c:969:20: warning: ‘%.128s’ directive output may be truncated writing up to 128 bytes into a region of size between 113 and 143 [-Wformat-truncation=] "Enter %.30s@%.128s's new password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 25 and 183 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ sshconnect2.c:977:21: warning: ‘%.128s’ directive output may be truncated writing up to 128 bytes into a region of size between 112 and 142 [-Wformat-truncation=] "Retype %.30s@%.128s's new password: ", ^~~~~~ In file included from /usr/include/stdio.h:938:0, from /usr/include/bsd/libutil.h:46, from includes.h:141, from sshconnect2.c:27: /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note: ‘__builtin___snprintf_chk’ output between 26 and 184 bytes into a destination of size 150 return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ __bos (__s), __fmt, __va_arg_pack ()); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The relevant buffers are just plain too small. Patch attached.