Date: Tue, 14 Aug 2001 02:40:27 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Seth Kingsley <seth.kingsley@windriver.com> Cc: Kris Kennaway <kris@obsecurity.org>, obrien@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: WFORMAT=1 errors Message-ID: <20010814024026.A36283@xor.obsecurity.org> In-Reply-To: <20010813174001.B33585@meow.lab.nuxi.com>; from seth.kingsley@windriver.com on Mon, Aug 13, 2001 at 05:40:01PM -0700 References: <20010810182125.A47936@xor.obsecurity.org> <20010810194150.A71696@meow.lab.nuxi.com> <20010810202002.A49763@xor.obsecurity.org> <20010813174001.B33585@meow.lab.nuxi.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--u3/rZRmxL6MmkK24
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Mon, Aug 13, 2001 at 05:40:01PM -0700, Seth Kingsley wrote:
> I'm running into a problem here with format strings that are being used
> safely as pointers to string constants, but eliciting warnings because
> they are not literal string constants. The following test program should
> _not_ cause warnings because of a non-constant format. Unless I am
> misunderstanding the purpose of this kind of format parameter auditing,
> passing a pointer to string const should be perfectly acceptable. And as
> it is used in usr.bin/make, there is obviously no security issue with
> this.
>=20
> #include <stdio.h>
>=20
> int
> main(void)
> {
> const char *fmt =3D "%s\n";
>=20
> printf(fmt, "Hello World");
> return 0;
> }
Make it a const char fmt[]. gcc doesn't complain if you repoint fmt
to something else if it's a const char * -- that something else can be
variable input and therefore potentially insecure:
#include <stdio.h>
int main(int argc, char **argv) {
const char *fmt=3D"%s\n";
if (argc > 1)
fmt =3D argv[1];
printf(fmt, "bar");
exit(0);
}
> cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c
/tmp/foo.c: In function `main':
/tmp/foo.c:9: warning: non-constant format parameter
#include <stdio.h>
int main(int argc, char **argv) {
const char fmt[]=3D"%s\n";
if (argc > 1)
fmt =3D argv[1];
printf(fmt, "bar");
exit(0);
}
> cc -o /tmp/foo -Wnon-const-format ${BDECFLAGS} /tmp/foo.c
/tmp/foo.c: In function `main':
/tmp/foo.c:7: warning: assignment of read-only variable `fmt'
/tmp/foo.c:7: incompatible types in assignment
(Note: no variable format string warning, and we get extra warnings if
we try and repoint it anyway).
Kris
--u3/rZRmxL6MmkK24
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7ePIKWry0BWjoQKURAh1QAKDRR64gsFrNTJHaSRuUCjOX9Has2wCfS+Ea
C+DR2jqz6hYsI2gFhD9LIOg=
=4zeC
-----END PGP SIGNATURE-----
--u3/rZRmxL6MmkK24--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010814024026.A36283>