Format String Attack?

Question

A recent security notice (http://osdir.com/ml/bugtraq.security/2015-04/msg00102.html) stated that this line of code:

fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x", adata->contents[i]);

was subject to a "format string attack" which I understand as using something like:

fprintf(stderr, varWithUserSuppliedData);

instead of:

fprintf(stderr, "%s", varWithUserSuppliedData);

but I'm not seeing that in that first fprintf call - what am I missing?

Answer 1

Thanks to @cremno for providing a link to the GIT repository for the file in question: kssl.c (Note that this is not the repository head.)

It's clear that this report is spurious. First, there is no real problem with the fprintf call, although you can argue that code in a security-related product like OpenSSL needs to go beyond being secure to the point of being visibly secure even to a casual glance. (I'm not sure I would make that argument, but it has been made.)

But more importantly, the code in question is disabled (note the preprocessor directives surrounding it):

# if 0
{
    int i;
    fprintf(stderr, "%s[at%d:%d] ", label, adata->ad_type, adata->length);
    for (i = 0; i < adata->length; i++) {
        fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
                        adata->contents[i]);
    }
    fprintf(stderr, "\n");
}
# endif