[Ayttm-users] Possible format string vulnerability

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi,

I work in information flow analysis of programs and my analysis gave a
possible warning with respect to format string vulnerability in ayttm. I
had pointed out this behaviour earlier, so wanted to check whether code
base has been modified to fix this vulnerability.

Function "http_connect" populates "debug_buff" through "inputline".
"inputline" is populated through an external "recv" command. "debugf" is
passed directly to printf without a format string.

*Code: (in http_connect)*

*//Populates inputine through recv call*
*ay_recv_line(sockfd,&inputline)*

*//Moves inputline to debug_buff*
*snprintf(debug_buff, sizeof(debug_buff), <%s\n",inputline); *

*//Passes to debug_print a.k.a printf*
*debug_print(debug_buff)*

Our analysis flagged this behavior.

However, we are not sure whether ayttm developers are aware of this
behaviour. This might very well be a false positive. We just wanted to
confirm our analysis.

Any response in this regard will be appreciated.

Thanks

Regards,
Kapil