Bug #376
closed
Possible buffer overflow in addOverrideKey()
0%
Description
http://forum.dcmtk.org/viewtopic.php?t=2523
At least the following tools are affected:
movescu
wltests
snd2dcm
'DcmPath' & Co. are likely culprits.
The former ones should be done, I haven't seen a sscanf() with a "%s" in DcmPath - Uli
=== Comment Uli ===
Find all instances, where sscanf() is used with s or something else (only %s happens though): git grep sscanf | grep -E '[^%"]*s'
dcmqrdb/libsrc/dcmqrcnf.cc: if (sscanf(rcline, "%s", mnemonic) != 1) dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(helpvalue, "%d , %s", &studies, helpval); dcmqrdb/libsrc/dcmqrtis.cc: narg = sscanf(cmdbuf, "send %s %d", cmdarg, &iarg); Found in dcmdata/libsrc/dcddirif.cc, dcmnet/apps/movescu.cc, dcmwlm/tests/wltests.cc und dcmwave/apps/snd2dcm.cc.
Updated by Andrew Chiw over 12 years ago
Possible buffer overflow in addOverrideKey()
Description
http://forum.dcmtk.org/viewtopic.php?t=2523
At least the following tools are affected:
movescu
wltests
snd2dcm'DcmPath' & Co. are likely culprits.
The former should be settled, I haven't seen a sscanf() with a "%s" in DcmPath -- Uli
=== Comment Uli ===
Find all instances, where sscanf() is used with s or something else (only %s happens though): git grep sscanf | grep -E '[^%"]*s'
dcmqrdb/libsrc/dcmqrcnf.cc: if (sscanf(rcline, "%s", mnemonic) != 1) dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(valueptr, "%s", value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(rcline, "%s %s", mnemonic, value); dcmqrdb/libsrc/dcmqrcnf.cc: sscanf(helpvalue, "%d , %s", &studies, helpval); dcmqrdb/libsrc/dcmqrtis.cc: narg = sscanf(cmdbuf, "send %s %d", cmdarg, &iarg);
Found in dcmdata/libsrc/dcddirif.cc, dcmnet/apps/movescu.cc, dcmwlm/tests/wltests.cc und dcmwave/apps/snd2dcm.cc.
Updated by Marco Eichelberg almost 9 years ago
- Status changed from New to Closed
All remaining instances of sscanf with %s parameter in the toolkit were checked, dcmqrdb is the only module using doing this, however, only on a string of known maximum size and not on an input line. Increased some buffer sizes to guarantee that no buffer overflows are possible.
Commit 22206bc thus closes this bug.