Closed jcorporation closed 3 years ago
You are missing arguments to the function call. In your example, you are passing in "%n%n", but not passing in any further variables to cater for that. More importantly, %n requires a pointer to a signed int.
e.g.
int var1, var2;
mg_http_reply(c, 200, "Content-Type: application/json\r\n", "%n%n", &var1, &var2);
mg_http_reply treats this argument as an format string? Is this undocumented?
@jcorporation That is documented, https://cesanta.com/docs/#mg_http_reply
Sorry, my error
This issue was detect by my api fuzzer for my myMPD project that integrates mongoose.
The %n format specifiers seems to be the trigger of the segmentation fault.
Steps to reproduce:
mg_http_reply(c, 200, "Content-Type: application/json\r\n", "%n%n");
instead of serving the directoryPlattform:
Error: