[Bug 2768] New: Possible string truncations in sshconnect2.c
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Sat Aug 26 21:39:08 AEST 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2768
Bug ID: 2768
Summary: Possible string truncations in sshconnect2.c
Product: Portable OpenSSH
Version: -current
Hardware: Other
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: cjwatson at debian.org
Created attachment 3041
--> https://bugzilla.mindrot.org/attachment.cgi?id=3041&action=edit
Increase prompt buffer sizes to fit text
sshconnect2.c: In function ‘userauth_passwd’:
sshconnect2.c:909:42: warning: ‘%.128s’ directive output may be
truncated writing up to 128 bytes into a region of size between 119 and
149 [-Wformat-truncation=]
snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
^~~~~~
In file included from /usr/include/stdio.h:938:0,
from /usr/include/bsd/libutil.h:46,
from includes.h:141,
from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
‘__builtin___snprintf_chk’ output between 15 and 173 bytes into a
destination of size 150
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c: In function ‘input_userauth_passwd_changereq’:
sshconnect2.c:960:19: warning: ‘%.128s’ directive output may be
truncated writing up to 128 bytes into a region of size between 113 and
143 [-Wformat-truncation=]
"Enter %.30s@%.128s's old password: ",
^~~~~~
In file included from /usr/include/stdio.h:938:0,
from /usr/include/bsd/libutil.h:46,
from includes.h:141,
from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
‘__builtin___snprintf_chk’ output between 25 and 183 bytes into a
destination of size 150
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c:969:20: warning: ‘%.128s’ directive output may be
truncated writing up to 128 bytes into a region of size between 113 and
143 [-Wformat-truncation=]
"Enter %.30s@%.128s's new password: ",
^~~~~~
In file included from /usr/include/stdio.h:938:0,
from /usr/include/bsd/libutil.h:46,
from includes.h:141,
from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
‘__builtin___snprintf_chk’ output between 25 and 183 bytes into a
destination of size 150
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sshconnect2.c:977:21: warning: ‘%.128s’ directive output may be
truncated writing up to 128 bytes into a region of size between 112 and
142 [-Wformat-truncation=]
"Retype %.30s@%.128s's new password: ",
^~~~~~
In file included from /usr/include/stdio.h:938:0,
from /usr/include/bsd/libutil.h:46,
from includes.h:141,
from sshconnect2.c:27:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
‘__builtin___snprintf_chk’ output between 26 and 184 bytes into a
destination of size 150
return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
__bos (__s), __fmt, __va_arg_pack ());
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The relevant buffers are just plain too small. Patch attached.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list