Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Format String bug in your project, version 1.19.
The bug located in smtp.c. Firstly, the program read bytes from fp to buf using fread() in line 638, and buf is later used as the parameter of showVerbose() in line 650, as shown in the following code:
while (fgets(buf,bufsz,fp))
{
write_to_socket(buf);
if (g_show_attachment_in_log)
{
showVerbose("[C] %s",buf);
}
}
(void) fclose(fp);
(void) snprintf(buf,bufsz,"\r\n\r\n");
msock_puts(buf);
showVerbose(buf);Inside showVerbose(), it directly calls vprintf() twice time with the controlled buffer, which violates CWE134 and can cause undefined behavior.
I also attached the analysis trace given by Infer FYI:
"trace": [
{
"file": "smtp.c",
"line": 638,
"col": 12,
"feature": [ "Input", "fgets" ]
},
{
"file": "smtp.c",
"line": 650,
"col": 5,
"feature": [ "Call", "showVerbose" ]
},
{
"file": "utils.c",
"line": 182,
"col": 13,
"feature": [ "FormatString", "vfprintf", [ "Var" ] ]
},
{
"file": "utils.c",
"line": 197,
"col": 13,
"feature": [ "FormatString", "vfprintf", [ "Var" ] ]
}
],
Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Format String bug in your project, version 1.19.
The bug located in smtp.c. Firstly, the program read bytes from
fptobufusingfread()in line 638, andbufis later used as the parameter ofshowVerbose()in line 650, as shown in the following code:Inside
showVerbose(), it directly callsvprintf()twice time with the controlled buffer, which violates CWE134 and can cause undefined behavior.I also attached the analysis trace given by Infer FYI: