Fix some unsafe print calls.

The format argument to a printf-like routine should either be a constant
string or a variable *known* to point to a format string.  It should not
be an arbitrary string you're trying to print - if that string contains
% characters, they will be interpreted as part of a format
specification, which can cause crashes (e.g., "%s", if what appears to
be an argument corresponding to that %s, when interpreted as a pointer,
doesn't point to a valid string) or other incorrect behavior.

If you want to print a string, use "%s" as the format and the string as
the argument.

diff --git a/print-bootp.c b/print-bootp.c
index 9b163564bb44e5d70ebd49c0a7140feb50186dfa..f41f2ea844597961e83c45ee0be9fa9692e2742a 100644 (file)
--- a/print-bootp.c
+++ b/print-bootp.c
@@ -133,7 +133,7 @@ bootp_print(netdissect_options *ndo,
                ND_PRINT((ndo, "\n\t  sname \""));
                if (fn_print(bp->bp_sname, ndo->ndo_snapend)) {
                        ND_PRINT((ndo, "\""));
-                       ND_PRINT((ndo, tstr + 1));
+                       ND_PRINT((ndo, "%s", tstr + 1));
                        return;
                }
                ND_PRINT((ndo, "\""));
@@ -143,7 +143,7 @@ bootp_print(netdissect_options *ndo,
                ND_PRINT((ndo, "\n\t  file \""));
                if (fn_print(bp->bp_file, ndo->ndo_snapend)) {
                        ND_PRINT((ndo, "\""));
-                       ND_PRINT((ndo, tstr + 1));
+                       ND_PRINT((ndo, "%s", tstr + 1));
                        return;
                }
                ND_PRINT((ndo, "\""));