lib/printf: disable `%n` specifier

We don't use `%n` anywhere, so the only purpose it serves is enabling
exploits.

(I thought about this initially when adding printfrr, but I wasn't sure
we don't use `%n` anywhere, and thought I'll check later, and then just
forgot it...)

Signed-off-by: David Lamparter <equinox@diac24.net>

diff --git a/lib/printf/printf-pos.c b/lib/printf/printf-pos.c
index cc03f7ef9ae17203fc25543eea49291f1a53280b..ac775bea4e2be5c12e4796c5db48dc7eaa2514a7 100644 (file)
--- a/lib/printf/printf-pos.c
+++ b/lib/printf/printf-pos.c
@@ -384,6 +384,7 @@ reswitch:   switch (ch) {
                                goto error;
                        break;
 #endif /* !NO_FLOATING_POINT */
+#ifdef DANGEROUS_PERCENT_N
                case 'n':
                        if (flags & INTMAXT)
                                error = addtype(&types, TP_INTMAXT);
@@ -404,6 +405,7 @@ reswitch:   switch (ch) {
                        if (error)
                                goto error;
                        continue;       /* no output */
+#endif
                case 'O':
                        flags |= LONGINT;
                        /*FALLTHROUGH*/
@@ -576,6 +578,7 @@ reswitch:   switch (ch) {
                                goto error;
                        break;
 #endif /* !NO_FLOATING_POINT */
+#ifdef DANGEROUS_PERCENT_N
                case 'n':
                        if (flags & INTMAXT)
                                error = addtype(&types, TP_INTMAXT);
@@ -596,6 +599,7 @@ reswitch:   switch (ch) {
                        if (error)
                                goto error;
                        continue;       /* no output */
+#endif
                case 'O':
                        flags |= LONGINT;
                        /*FALLTHROUGH*/

diff --git a/lib/printf/vfprintf.c b/lib/printf/vfprintf.c
index 6ffccb3811eae3ffa9500f9a684cef6a05868ffe..a0634cde4b9bc07fce193a117ccba7c95bbe6a32 100644 (file)
--- a/lib/printf/vfprintf.c
+++ b/lib/printf/vfprintf.c
@@ -503,6 +503,11 @@ reswitch:  switch (ch) {
                        size = (prec >= 0) ? strnlen(cp, prec) : strlen(cp);
                        sign = '\0';
                        break;
+#ifdef DANGEROUS_PERCENT_N
+               /* FRR does not use %n in printf formats.  This is just left
+                * here in case someone tries to use %n and starts debugging
+                * why the f* it doesn't work
+                */
                case 'n':
                        /*
                         * Assignment-like behavior is specified if the
@@ -526,6 +531,7 @@ reswitch:   switch (ch) {
                        else
                                *GETARG(int *) = ret;
                        continue;       /* no output */
+#endif
                case 'O':
                        flags |= LONGINT;
                        /*FALLTHROUGH*/