A potential Format String bug found in smtp.c #162
Description
Hi, I'm currently trying to use the static analysis tool Infer to find uncatched API-misuse bugs in OpenWrt packages, and I find a potential Format String bug in your project, version 1.19.
The bug located in smtp.c. Firstly, the program read bytes from fp to buf using fread() in line 638, and buf is later used as the parameter of showVerbose() in line 650, as shown in the following code:
while (fgets(buf,bufsz,fp))
{
write_to_socket(buf);
if (g_show_attachment_in_log)
{
showVerbose("[C] %s",buf);
}
}
(void) fclose(fp);
(void) snprintf(buf,bufsz,"\r\n\r\n");
msock_puts(buf);
showVerbose(buf);Inside showVerbose(), it directly calls vprintf() twice time with the controlled buffer, which violates CWE134 and can cause undefined behavior.
I also attached the analysis trace given by Infer FYI:
"trace": [
{
"file": "smtp.c",
"line": 638,
"col": 12,
"feature": [ "Input", "fgets" ]
},
{
"file": "smtp.c",
"line": 650,
"col": 5,
"feature": [ "Call", "showVerbose" ]
},
{
"file": "utils.c",
"line": 182,
"col": 13,
"feature": [ "FormatString", "vfprintf", [ "Var" ] ]
},
{
"file": "utils.c",
"line": 197,
"col": 13,
"feature": [ "FormatString", "vfprintf", [ "Var" ] ]
}
],