During the static analysis of the component, I encountered a trigger indicating unsafe use of the sscanf method.
|
n = sscanf(xpath, mapping->xpath_from_fmt, keys[0], keys[1], keys[2], |
The keys array is declared as char
|
char keys[4][LIST_MAXKEYLEN]; |
, which imposes a strict limit on the length of each key.
However, if the xpath_from_fmt format string (obtained from the mapping structure) contains %s type specifiers without explicitly specifying the maximum field width, the sscanf function will write to the keys[i] buffer before the first space character or the end of the line.
Since xpath_from_fmt
|
char xpath_from_fmt[XPATH_MAXLEN]; |
is dynamically substituted from the mapping table, and there is no validation of matching the width of the specifiers in this row to the size of
LIST_MAXKEYLEN, there is a theoretical possibility of exploiting this vulnerability when processing specially formed YANG paths, which can lead to memory corruption or an emergency shutdown of the process.
During the static analysis of the component, I encountered a trigger indicating unsafe use of the sscanf method.
frr/lib/yang_translator.c
Line 333 in aa488b2
The keys array is declared as char
frr/lib/yang_translator.c
Line 309 in aa488b2
However, if the xpath_from_fmt format string (obtained from the mapping structure) contains %s type specifiers without explicitly specifying the maximum field width, the sscanf function will write to the keys[i] buffer before the first space character or the end of the line.
Since xpath_from_fmt
frr/lib/yang_translator.c
Line 39 in aa488b2