From owner-freebsd-audit Tue Aug 14 2:40:32 2001 Delivered-To: freebsd-audit@freebsd.org Received: from obsecurity.dyndns.org (adsl-64-169-104-252.dsl.lsan03.pacbell.net [64.169.104.252]) by hub.freebsd.org (Postfix) with ESMTP id CAE1C37B407; Tue, 14 Aug 2001 02:40:27 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 26D8A66F68; Tue, 14 Aug 2001 02:40:27 -0700 (PDT) Date: Tue, 14 Aug 2001 02:40:27 -0700 From: Kris Kennaway To: Seth Kingsley Cc: Kris Kennaway , obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814024026.A36283@xor.obsecurity.org> References: <20010810182125.A47936@xor.obsecurity.org> <20010810194150.A71696@meow.lab.nuxi.com> <20010810202002.A49763@xor.obsecurity.org> <20010813174001.B33585@meow.lab.nuxi.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="u3/rZRmxL6MmkK24" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010813174001.B33585@meow.lab.nuxi.com>; from seth.kingsley@windriver.com on Mon, Aug 13, 2001 at 05:40:01PM -0700 Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --u3/rZRmxL6MmkK24 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Aug 13, 2001 at 05:40:01PM -0700, Seth Kingsley wrote: > I'm running into a problem here with format strings that are being used > safely as pointers to string constants, but eliciting warnings because > they are not literal string constants. The following test program should > _not_ cause warnings because of a non-constant format. Unless I am > misunderstanding the purpose of this kind of format parameter auditing, > passing a pointer to string const should be perfectly acceptable. And as > it is used in usr.bin/make, there is obviously no security issue with > this. >=20 > #include >=20 > int > main(void) > { > const char *fmt =3D "%s\n"; >=20 > printf(fmt, "Hello World"); > return 0; > } Make it a const char fmt[]. gcc doesn't complain if you repoint fmt to something else if it's a const char * -- that something else can be variable input and therefore potentially insecure: #include int main(int argc, char **argv) { const char *fmt=3D"%s\n"; if (argc > 1) fmt =3D argv[1]; printf(fmt, "bar"); exit(0); } > cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c /tmp/foo.c: In function `main': /tmp/foo.c:9: warning: non-constant format parameter #include int main(int argc, char **argv) { const char fmt[]=3D"%s\n"; if (argc > 1) fmt =3D argv[1]; printf(fmt, "bar"); exit(0); } > cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c /tmp/foo.c: In function `main': /tmp/foo.c:7: warning: assignment of read-only variable `fmt' /tmp/foo.c:7: incompatible types in assignment (Note: no variable format string warning, and we get extra warnings if we try and repoint it anyway). Kris --u3/rZRmxL6MmkK24 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7ePIKWry0BWjoQKURAh1QAKDRR64gsFrNTJHaSRuUCjOX9Has2wCfS+Ea C+DR2jqz6hYsI2gFhD9LIOg= =4zeC -----END PGP SIGNATURE----- --u3/rZRmxL6MmkK24-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message