There was a rogue sscanf("%s") with no field width limit, targeting a
stack-based buffer, and scanning a string containing untrusted data.
It occurs in the 'sink' side of the protocol, i.e. when downloading
files *from* the server.
Our own bug id for this vulnerability is 'vuln-pscp-sink-sscanf'.
{
char sizestr[40];
- if (sscanf(act->buf, "%lo %s %n", &act->permissions,
+ if (sscanf(act->buf, "%lo %39s %n", &act->permissions,
sizestr, &i) != 2)
bump("Protocol error: Illegal file descriptor format");
act->size = uint64_from_decimal(sizestr);