sysdeps-win: abuse of sprintf into fixed-size buffers
Submitted by Simon McVittie
Assigned to D-Bus Maintainers
Description
I happened to notice that the Windows version of _dbus_system_logv calls sprintf into a fixed 1024-byte buffer. Stack smashing, anyone? (I'm not treating this as a security hole as such, though, since D-Bus on Windows isn't a security boundary.)
Most of our strings are limited to 255 bytes, but you only need a format-string with 5 of those to smash the stack.
I looked a bit further, and found these:
-
_dbus_poll in verbose mode calls sprintf into a fixed-size buffer on two separate occasions; in the first one it detects stack smashing afterwards, but that's too late
-
_dbus_verbose_real does similarly
although those are only present in verbose mode.
There are also a couple of uses of sprintf in Unix code; those are made into buffers guaranteed to be large enough (assuming vsnprintf is POSIX-compliant, Bug #11668), but I'm tempted to open a bug for them anyway. "Never use sprintf" is easier to enforce than "use sprintf securely".
Version: 1.5