CXX-S1004 · While processing the buffer using `printf`/`scanf`, not using any width for the format specifier `%s` is vulnerable to buffer overflow

While processing the buffer using printf/scanf, not using any width for the format specifier %s is vulnerable to buffer overflow CXX-S1004

Security

Major

a year ago — a year old

cwe-120

Using printf or scanf without width-limit on %s

utils/lm_modes.c

 57    switch (mode)
 58    {
 59    case LM_BACH:
 60        snprintf(buffer, 15, "%s", "LM_BACH"); 61        break;
 62
 63    default:

Using printf or scanf without width-limit on %s

utils/lm_modes.c

 61        break;
 62
 63    default:
 64        snprintf(buffer, 15, "%s", "LM_INTERACTIVE"); 65        break;
 66    }
 67    return buffer;

Description

Using I/O operations such as printf and scanf without setting width limits for format strings can allow for buffer overflow when reading from a stdin pipe or writing to a stdout pipe.

You can limit the width for format strings by providing it between the % and s, as the <width>(any positive decimal integer).

Such as this: %<width>s.

Limit the width of string specifiers by adding a maximum width for I/O operations, as outlined above.

Bad practice

char str[10];
scanf("%s", str);

mohamedjawady / LMSHELL

Bad practice

Recommended

References