msquic icon indicating copy to clipboard operation
msquic copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Fix Security Warning from sscanf Usage in Posix Code

Open nibanks opened this issue 3 years ago • 0 comments

Describe the bug

Code scanning warns that the Posix usage of sscanf in cgroup.c could be an unbounded write. Not really, but we should fix it to make the tool happy.

Affected OS

  • [ ] All
  • [ ] Windows Server 2022
  • [ ] Windows 11
  • [ ] Windows Insider Preview (specify affected build below)
  • [X] Ubuntu
  • [X] Debian
  • [ ] Other (specify below)

Additional OS information

No response

MsQuic version

main

Steps taken to reproduce bug

Go to https://github.com/microsoft/msquic/security/code-scanning to see the "Unbound write" warnings, such as https://github.com/microsoft/msquic/security/code-scanning/169?query=ref%3Arefs%2Fheads%2Fmain.

Expected behavior

No warnings should be present

Actual outcome

The code scanning fears that there might be an unbound write, but it shouldn't be the case considering how we allocate the space. But to make things a little safer, I think we should update the code to do something like the first answer here: https://stackoverflow.com/questions/5873402/is-sscanf-considered-safe-to-use.

Additional details

No response

nibanks avatar Feb 19 '22 15:02 nibanks