lib/printf: disable `%n` specifier

We don't use `%n` anywhere, so the only purpose it serves is enabling
exploits.

(I thought about this initially when adding printfrr, but I wasn't sure
we don't use `%n` anywhere, and thought I'll check later, and then just
forgot it...)

Signed-off-by: David Lamparter <equinox@diac24.net>

2 files changed, 10 insertions, 0 deletions

diff --git a/lib/printf/printf-pos.c b/lib/printf/printf-pos.c
index cc03f7ef9a..ac775bea4e 100644
--- a/lib/printf/printf-pos.c
+++ b/lib/printf/printf-pos.c
@@ -384,6 +384,7 @@ reswitch:	switch (ch) {
 				goto error;
 			break;
 #endif /* !NO_FLOATING_POINT */
+#ifdef DANGEROUS_PERCENT_N
 		case 'n':
 			if (flags & INTMAXT)
 				error = addtype(&types, TP_INTMAXT);
@@ -404,6 +405,7 @@ reswitch:	switch (ch) {
 			if (error)
 				goto error;
 			continue;	/* no output */
+#endif
 		case 'O':
 			flags |= LONGINT;
 			/*FALLTHROUGH*/
@@ -576,6 +578,7 @@ reswitch:	switch (ch) {
 				goto error;
 			break;
 #endif /* !NO_FLOATING_POINT */
+#ifdef DANGEROUS_PERCENT_N
 		case 'n':
 			if (flags & INTMAXT)
 				error = addtype(&types, TP_INTMAXT);
@@ -596,6 +599,7 @@ reswitch:	switch (ch) {
 			if (error)
 				goto error;
 			continue;	/* no output */
+#endif
 		case 'O':
 			flags |= LONGINT;
 			/*FALLTHROUGH*/
diff --git a/lib/printf/vfprintf.c b/lib/printf/vfprintf.c
index 6ffccb3811..a0634cde4b 100644
--- a/lib/printf/vfprintf.c
+++ b/lib/printf/vfprintf.c
@@ -503,6 +503,11 @@ reswitch:	switch (ch) {
 			size = (prec >= 0) ? strnlen(cp, prec) : strlen(cp);
 			sign = '\0';
 			break;
+#ifdef DANGEROUS_PERCENT_N
+		/* FRR does not use %n in printf formats.  This is just left
+		 * here in case someone tries to use %n and starts debugging
+		 * why the f* it doesn't work
+		 */
 		case 'n':
 			/*
 			 * Assignment-like behavior is specified if the
@@ -526,6 +531,7 @@ reswitch:	switch (ch) {
 			else
 				*GETARG(int *) = ret;
 			continue;	/* no output */
+#endif
 		case 'O':
 			flags |= LONGINT;
 			/*FALLTHROUGH*/