OpenConnect Fortinet: server-induced chosen-offset stack write via snprintf-return-value cursor arithmetic
A ten-line C block in OpenConnect's Fortinet handler builds a version-info string with the classic snprintf-cursor idiom: advance a pointer by snprintf's return value across successive calls into a fixed stack buffer. Because snprintf returns the length it *would have* written — not the length it did — a single oversized field advances the cursor past the buffer end. The subsequent size argument computed as `e - p` is a negative ptrdiff_t that implicitly converts to a near-SIZE_MAX size_t. The next call happily writes a short, format-string-controlled payload at a caller-chosen offset — including the saved-RIP slot of the parent stack frame. Full walkthrough of the C language semantics that make the primitive, the stack-frame math that lands the write on saved RIP, the mitigation matrix (FORTIFY catches, SSP does not), and the pattern to grep for in any C codebase that builds strings incrementally.