alpine 3.8
format weakness #14

4

Weakness Breakdown


Definition:

A format string exploit occurs when the data of an input string is evaluated as a command by the program. This class of attacks is very similar to buffer overflows since an attacker could execute code, read the stack or cause new behaviors that compromise security. Learn more about format string attacks on OWASP attack index.

Warning code(s):

If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always 0-terminate.

File Name:

gmp/src/gmp-6.1.2/printf/vasprintf.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 format weakness.

   * the GNU General Public License as published by the Free Software
    Foundation; either version 2 of the License, or (at your option) any
    later version.

or both in parallel, as here.

The GNU MP Library is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
for more details.

You should have received copies of the GNU General Public License and the
GNU Lesser General Public License along with the GNU MP Library.  If not,
see https://www.gnu.org/licenses/.  */

#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "gmp.h"
#include "gmp-impl.h"

#if ! HAVE_VSNPRINTF
#define vsnprintf  __gmp_replacement_vsnprintf
#endif


/* vasprintf isn't used since we prefer all GMP allocs to go through
   __gmp_allocate_func, and in particular we don't want the -1 return from
   vasprintf for out-of-memory, instead __gmp_allocate_func should handle
   that.  Using vsnprintf unfortunately means we might have to re-run it if
   our current space is insufficient.

   The initial guess for the needed space is an arbitrary 256 bytes.  If
   that (and any extra GMP_ASPRINTF_T_NEED might give) isn't enough then an
   ISO C99 standard vsnprintf will tell us what we really need.

   GLIBC 2.0.x vsnprintf returns either -1 or space-1 to indicate overflow,
   without giving any indication how much is really needed.  In this case
   keep trying with double the space each time.

   A return of space-1 is success on a C99 vsnprintf, but we're not
   bothering to identify which style vsnprintf we've got, so just take the
   pessimistic option and assume it's glibc 2.0.x.

   Notice the use of ret+2 for the new space in the C99 case.  This ensures
   the next vsnprintf return value will be space-2, which is unambiguously
   successful.  But actually GMP_ASPRINTF_T_NEED() will realloc to even
   bigger than that ret+2. 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.