Theo de Raadt wrote: > This change is really weird. > > %n in a scanning string isn't the same as %n in a format string. > > Is clang mistakenly flagging %n in scanning strings? That might be a > mistake. clang should only be inspecting *printf style format strings.
No, clang is doing it right. I'm doing it wrong here. > The change to libc has no impact on scanning strings. scanning strings > with *scanf are *full* of pointer-store requests. scanning strings are > not used in attacks, only output format strings are used in attacks. We > are only changing the behaviour of output format strings. I was told this already. My assumption was that that input parsing is affected as well. > Furthermore, this change doesn't seem like a no-op. It is reformatting > the string. Upon input, the scanf could plausibly be insensitive to > leading 0's, spaces, etc etc. And that is the %n input length. But by > reprinting the string and creating a new string, you have a different > string and different length. Indeed. The diff should be discarded. > Does that matter? I don't know, but the change is dubious without > studying to make sure it isn't a new problem. > > Stefan Hagen <sh+openbsd-po...@codevoid.de> wrote: > > > Hi, > > > > This removes the '%n' format specifier from sysutils/cdrtools. > > > > Test: %n is used to align this list and it works like before: > > > > # cdrecord -scanbus > > Cdrecord-ProDVD-ProBD-Clone 3.00 (amd64-unknown-openbsd7.0) Copyright (C) > > 1995-2010 J�rg Schilling > > Using libscg version 'schily-0.9'. > > scsibus3: > > 3,0,0 300) * > > 3,1,0 301) 'MATSHITA' 'BD-MLT UJ272 ' '1.02' Removable CD-ROM > > 3,2,0 302) * > > 3,3,0 303) * > > 3,4,0 304) * > > 3,5,0 305) * > > 3,6,0 306) * > > 3,7,0 307) * > > > > Best regards, > > Stefan > > > > Index: sysutils/cdrtools/Makefile > > =================================================================== > > RCS file: /cvs/ports/sysutils/cdrtools/Makefile,v > > retrieving revision 1.23 > > diff -u -p -u -p -r1.23 Makefile > > --- sysutils/cdrtools/Makefile 12 Jul 2019 20:49:40 -0000 1.23 > > +++ sysutils/cdrtools/Makefile 10 Sep 2021 18:01:10 -0000 > > @@ -3,7 +3,7 @@ > > COMMENT= ISO 9660 filesystem and CD/DVD/BD creation tools > > > > DISTNAME= cdrtools-3.00 > > -REVISION= 1 > > +REVISION= 2 > > CATEGORIES= sysutils > > HOMEPAGE= http://cdrtools.sourceforge.net/private/cdrtools.html > > > > Index: sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > > =================================================================== > > RCS file: sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > > diff -N sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ sysutils/cdrtools/patches/patch-libscg_scsi-unixware_c 10 Sep 2021 > > 18:01:10 -0000 > > @@ -0,0 +1,35 @@ > > +$OpenBSD$ > > + > > +Remove format specifier %n > > + > > +Index: libscg/scsi-unixware.c > > +--- libscg/scsi-unixware.c.orig > > ++++ libscg/scsi-unixware.c > > +@@ -75,8 +75,8 @@ LOCAL char _scg_trans_version[] = > > "scsi-unixware.c-1.3 > > + #define DEV_DIR "/tmp" > > + #define DEV_NAME "scg.s%1dt%1dl%1d" > > + > > +-#define SCAN_HBA "%d:%d,%d,%d:%7s : %n" > > +-#define SCAN_DEV "%d,%d,%d:%7s : %n" > > ++#define SCAN_HBA "%d:%d,%d,%d:%7s : " > > ++#define SCAN_DEV "%d,%d,%d:%7s : " > > + > > + #define PRIM_HBA "/dev/hba/hba1" > > + #define SCSI_CFG "LC_ALL=C /etc/scsi/pdiconfig -l" > > +@@ -257,11 +257,14 @@ extern char **environ; > > + memset(class, '\0', sizeof (class)); > > + memset(ident, '\0', sizeof (ident)); > > + > > ++ char tmp[MAXLINE]; > > + if (lines[0] == ' ') { > > +- sscanf(lines, SCAN_DEV, &bus, &tgt, &lun, class, &pos); > > ++ sscanf(lines, SCAN_DEV, &bus, &tgt, &lun, class); > > ++ pos = snprintf(tmp, sizeof(tmp), SCAN_DEV, bus, tgt, > > lun, class); > > + hba = lhba; > > + } else { > > +- sscanf(lines, SCAN_HBA, &hba, &bus, &tgt, &lun, class, > > &pos); > > ++ sscanf(lines, SCAN_HBA, &hba, &bus, &tgt, &lun, class); > > ++ pos = snprintf(tmp, sizeof(tmp), SCAN_HBA, hba, bus, > > tgt, lun, class); > > + nscg++; > > + lhba = hba; > > + atapi = 0;
