From: Kapil A. <kap...@gm...> - 2015-08-22 20:25:20
|
Hi, I work in information flow analysis of programs and my analysis gave a possible warning with respect to format string vulnerability in ayttm. I had pointed out this behaviour earlier, so wanted to check whether code base has been modified to fix this vulnerability. Function "http_connect" populates "debug_buff" through "inputline". "inputline" is populated through an external "recv" command. "debugf" is passed directly to printf without a format string. *Code: (in http_connect)* *//Populates inputine through recv call* *ay_recv_line(sockfd,&inputline)* *//Moves inputline to debug_buff* *snprintf(debug_buff, sizeof(debug_buff), <%s\n",inputline); * *//Passes to debug_print a.k.a printf* *debug_print(debug_buff)* Our analysis flagged this behavior. However, we are not sure whether ayttm developers are aware of this behaviour. This might very well be a false positive. We just wanted to confirm our analysis. Any response in this regard will be appreciated. Thanks Regards, Kapil |