[CRIU] [PATCH] proc_parse: check that scanf fill the offset var
Pavel Emelyanov
xemul at parallels.com
Wed Aug 6 23:27:23 PDT 2014
On 08/06/2014 06:33 PM, Cyrill Gorcunov wrote:
> On Wed, Aug 06, 2014 at 06:03:51PM +0400, Andrey Vagin wrote:
>> CID 1168165 (#2 of 2): Untrusted array index read (TAINTED_SCALAR)
>> 40. tainted_data: Using tainted variable "hoff" as an index into an
>> array "str"
>>
>> $ man 3 scanf
>> n Nothing is expected; instead, the number of characters consumed
>> thus far from the input is stored through the next pointer,
>> which must be a pointer to int. This is not a conversion,
>> although it can be suppressed with the * assignment-suppression
>> character. The C standard says: "Execution of a %n directive
>> does not increment the assignment count returned at the comple‐
>> tion of execution" but the Corrigendum seems to contradict this.
>> Probably it is wise not to make any assumptions on the effect of
>> %n conversions on the return value.
>>
>> So it isn't not enough to check a return code from scanf().
>>
>> Cc: Cyrill Gorcunov <gorcunov at openvz.org>
>> Signed-off-by: Andrey Vagin <avagin at openvz.org>
> Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
> .
>
applied
More information about the CRIU
mailing list