[Toybox] [PATCH] mkflags: fix a sscanf buffer off-by-one.
enh
enh at google.com
Sat Feb 22 14:47:45 PST 2020
On Sat, Feb 22, 2020 at 4:05 AM Rob Landley <rob at landley.net> wrote:
>
> On 2/21/20 11:10 AM, enh via Toybox wrote:
> > Sadly, the compilers don't even catch this common mistake if you use
> > sscanf_s(3). Luckily, ASan does.
>
> I haven't given the build-time stuff the same level of scrutiny the runtime
> stuff gets because it's not deployed on target so presumably not as exploitable.
> (And because it's not building with the full toybox lib/*.c infrastructure and
> is working with known fixed inputs, so there's a lot of half-assed "read into a
> static buffer" and such going on, which this is an instance of.)
>
> At least I bounds-checked it. :)
yeah, that's what makes scanf's %s and friends such an "unsafe at any
speed" API.
i usually encourage Android folks to use %ms etc instead and just let
libc allocate.
> Rob
More information about the Toybox
mailing list