Bug #36505 for bind9-public: isc_print_vsnprintf: buffer not properly initialised

Bug Report from www.isc.org:

• Name: Vasili Burdo
• Email: vasili.burdo@infoblox.com
• Software Version: BIND 9.9.2
• OS: Linux
• Subject:Bug in isc_print_vsnprintf() for '%llu' format

Bug Detail

Hi,

This bug reveals itself when I tried to printf() very large "long long" number in decimal – any number larger than 0xFFFFFFFF. It returns garbage, but does not crash.

This behavior is caused by incorrect buffer termination in file 'bind9/lib/isc/print.c' at line 320. Here:
—————————————————
file: lib/isc/print.c
299 case 'u':
300 if (q)
301 tmpui = va_arg(ap, isc_uint64_t);
302 else if (l)
303 tmpui = va_arg(ap, unsigned long int);
304 else
305 tmpui = va_arg(ap, unsigned int);
306 if (tmpui <= 0xffffffffU)
307 sprintf(buf, "%lu",
308 (unsigned long)tmpui);
309 else {
310 unsigned long mid;
311 unsigned long lo;
312 unsigned long hi;
313 lo = tmpui % 1000000000;
314 tmpui /= 1000000000;
315 mid = tmpui % 1000000000;
316 hi = tmpui / 1000000000;
317 if (hi != 0)
318 sprintf(buf, "%lu", hi);
319 else
320 buf[0] = '\n'; //<– BUG is HERE. To fix, replace '\n' with '\0'
321 sprintf(buf + strlen(buf), "%lu", mid);
322 sprintf(buf + strlen(buf), "%lu", lo);
323 }
324 goto printint;
—————————————————

As ,you see, this is buffer overrun, caused by incorrect buffer termination.

Please, let me know if you're going to fix it.
If I will not get an answer unitl Aug 1st, I'll report it elsewhere.

---

This email was received through isc.org Bug Submission Form

All information within this email is considered confidential and for internal use only.