Fix example/subsystem_netconf.c
Yuriy M. Kaminskiy
yumkam at gmail.com
Sat Sep 11 23:12:42 CEST 2021
On 11.09.2021 20:33, Christian Weisgerber via libssh2-devel wrote:
> In libssh2's example/subsystem_netconf.c, a pointer to a variable
> of the wrong size (on LP64) is passed. Ouch. The patch below fixes
> this and also eliminates the %n format specifier that is increasingly
> discouraged:
>
> --- example/subsystem_netconf.c.orig
> +++ example/subsystem_netconf.c
> @@ -257,14 +257,14 @@ int main(int argc, char *argv[])
> /* NETCONF: https://tools.ietf.org/html/draft-ietf-netconf-ssh-06 */
>
> fprintf(stderr, "Sending NETCONF client <hello>\n");
> - snprintf(buf, sizeof(buf),
> + len = snprintf(buf, sizeof(buf),
> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
> "<hello>"
> "<capabilities>"
> "<capability>urn:ietf:params:xml:ns:netconf:base:1.0</capability>"
> "</capabilities>"
> "</hello>\n"
> - "]]>]]>\n%n", (int *)&len);
> + "]]>]]>\n");
> if(-1 == netconf_write(channel, buf, len))
> goto shutdown;
This is broken (with security implications).
snprintf can return value larger than sizeof(buf) or -1.
Same apply to %n (that is, original code was broken too).
> @@ -277,12 +277,12 @@ int main(int argc, char *argv[])
> (int)len, buf);
>
> fprintf(stderr, "Sending NETCONF <rpc>\n");
> - snprintf(buf, sizeof(buf),
> + len = snprintf(buf, sizeof(buf),
> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
> "<rpc xmlns=\"urn:ietf:params:xml:ns:netconf:base:1.0\">"
> "<get-interface-information><terse/></get-interface-information>"
> "</rpc>\n"
> - "]]>]]>\n%n", (int *)&len);
> + "]]>]]>\n");
> if(-1 == netconf_write(channel, buf, len))
> goto shutdown;
>
>
More information about the libssh2-devel
mailing list