LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

How come they did not get a warning?

How come they did not get a warning?

Posted Feb 2, 2012 15:20 UTC (Thu) by rvfh (subscriber, #31018)
Parent article: Format string vulnerabilities

Apparently Ubuntu forces -Wformat-security by default, as documented here, meaning that GCC will complain if I do that:

$ cat main.c
#include <stdio.h>

int main(void) {
        const char* str = "Hello, world";
        printf(str);
        return 0;
}

$ gcc main.c
main.c: In function ‘main’:
main.c:5:2: warning: format not a string literal and no format arguments [-Wformat-security]

I suppose Fedora and SuSE do the same, so my question is: what do the sudo developers compile on? And which warnings do they use? Or more importantly: how do they react when a warning appears? In my experience, warnings have a strong smell of mushrooms bugs.

(Log in to post comments)

How come they did not get a warning?

Posted Feb 3, 2012 12:42 UTC (Fri) by jwakely (subscriber, #60262) [Link]

Strangely enough, the sudo code wasn't doing a "hello world" toy example like the article and your one. Try this, which is closer to the real code 
#include <stdarg.h>
#include <stdio.h>

void
sudo_debug(const char* progname, const char *fmt, ...)
{
    va_list ap;
    char fmt2[200];
    sprintf(fmt2, "%s: %s\n", progname, fmt);
    va_start(ap, fmt);
    vfprintf(stderr, fmt2, ap);
    va_end(ap);
}
Still get a warning?

How come they did not get a warning?

Posted Feb 5, 2012 21:35 UTC (Sun) by k8to (subscriber, #15413) [Link]

I naively tend to think this pattern should be not used. I don't see much call for par-formatted strings that are later formatted again.

If you believe you have a fixed string, you can do the moral equivalent of

printf("%s", str);

which is what I do in my code.

If you need to build out a string piecemeal, you can build and append to a string without formatting it more than once.

If you need to do some fairly sophisticated templating functionality that really requires multiple passes of interpretation, there are libraries that are designed for that purpose. Although you should think hard if you really need that; typically you don't.

How come they did not get a warning?

Posted Feb 11, 2012 23:27 UTC (Sat) by cras (guest, #7000) [Link]

clang gives a warning with it.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds