As I was severely bitten by this issue lately, this caught my
interest, but the "bug" reported in this so-called advisory is in fact not
a bug at all. Observe:
>int wmprintf(const char *format, ...) /* <--- INTERESTING FUNCTION */
>{
> char buffer[1024];
> va_list ap;
>
> va_start(ap, format);
> vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING
This does pass a (potentially) non-constant string as the format
string to vsnprintf(), but (at least from the examples provided) wmprintf()
is always called with a constant format string, so this isn't a problem.
> va_end(ap);
> send(wmsocket, buffer, strlen(buffer), 0);
If this were a *printf() call, then we'd have problems, but all it's
doing is writing the buffer to the socket--no formatting interpretation
involved.
As an example, let's expand one of the calls, assuming the %s
parameter is "NASTY %sTRING":
>wmprintf("USER %s\r\n", wmusername);
--> wmprintf("USER %s\r\n", "NASTY %sTRING");
>int wmprintf(const char *format, ...)
>{
--> format == "USER %s\r\n"
> char buffer[1024];
--> buffer == undefined
> va_list ap;
--> ap == undefined
>
> va_start(ap, format);
--> ap == &"NASTY %sTRING"
> vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING
--> buffer == "USER NASTY %sTRING\r\n"
> va_end(ap);
--> ap == undefined
> send(wmsocket, buffer, strlen(buffer), 0);
--> send(wmsocket, "USER NASTY %sTRING\r\n", 20, 0);
>// logdata (">> %s", buffer);
--> logdata(">> %s", "USER NASTY %sTRING");
> return 0;
>}
The author is even careful enough to use logdata("%s",buffer) instead
of logdata(buffer), which is the careless mistake I made and had pointed
out to me.
Nothing to see here, move along.
>======[ Example
>
>Can't test this bug!!!
>If I'm wrong about this format string bug in Null Webmail, I'm very sorry.
--Andrew Church
achurch@achurch.org
http://achurch.org/
