Closed
Bug 521679
Opened 15 years ago
Closed 14 years ago
Fix NSS build warnings: "format not a string literal and no format arguments"
Categories
(NSS :: Tools, defect, P4)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.7
People
(Reporter: dholbert, Assigned: dholbert)
References
()
Details
Attachments
(1 file, 1 obsolete file)
3.79 KB,
patch
|
nelson
:
review+
|
Details | Diff | Splinter Review |
When building mozilla-central, I get 6 warnings of this type in NSS code: > secutil.c:1066: warning: format not a string literal and no format arguments This is GCC detecting a potential format string attack ( http://en.wikipedia.org/wiki/Format_string_attack ). This is mostly an issue when the printed string is user-controlled, but it's trivial to fix, so I don't see why we shouldn't just fix it. The attached patch fixes 6 instances of this problem in NSS. (Combined with the patch on bug 521677, this fixes all warnings of this type that I hit when building current mozilla-central.)
Assignee | ||
Updated•15 years ago
|
Attachment #405792 -
Flags: review?(nelson)
Assignee | ||
Updated•15 years ago
|
Assignee | ||
Comment 1•15 years ago
|
||
dbaron pointed out in bug 521677 that |fprintf(stream, "%s", str)| calls can be shortened to |fputs(str, stream)|. I can do that for the affected fprintf calls in this bug's patch, too, if desired.
Comment 2•15 years ago
|
||
Comment on attachment 405792 [details] [diff] [review] fix: s/printf(foo)/printf("%s", foo)/ >- fprintf(stdout, str); >+ fprintf(stdout, "%s", str); > fprintf(stdout, " > "); If the first of those fprintf calls is wrong, then why isn't the second? I claim neither is wrong.
Assignee | ||
Comment 3•15 years ago
|
||
The first is "wrong" because we don't know what "str" contains -- if it contains e.g. "%s", then fprintf(stdout, str) could start printing out memory from the stack and/or crash. The second is not wrong because you can tell from inspection (and your compiler can tell from static checking) that it doesn't contain any percent-strings, so it won't do anything nasty.
Comment 4•15 years ago
|
||
It's a static function with a small finite number of callers in the same source file. One can tell by inspection of the source file whether it is correct or not.
Assignee | ||
Comment 5•15 years ago
|
||
(In reply to comment #4) > It's a static function with a small finite number of callers in the same > source file. Well, it's called 19 different times (and it often passes in long multi-line strings). That's on the large side of "small". > One can tell by inspection of the source file whether it is > correct or not. But when the fix is so trivial (and commonly understood to be The Right/Secure Thing To Do), why not use the safer style, so that there's no reason to worry about inspecting 19 different callers in the first place? And most importantly from my point of view, why not fix this and eliminate 12 lines of useless warning-spam from every NSS & mozilla build? :) (12 lines = 6 warnings * 2 lines per warning)
Updated•15 years ago
|
Assignee: nobody → dholbert
Severity: normal → trivial
Priority: -- → P4
Updated•15 years ago
|
Component: Libraries → Tools
QA Contact: libraries → tools
Comment 6•15 years ago
|
||
Comment on attachment 405792 [details] [diff] [review] fix: s/printf(foo)/printf("%s", foo)/ The answer to the "why not" question is that there are a whole bunch of serious security bugs that the NSS team should be working on, and working on this cosmetic flaw in some QA test tools takes people away from the more important work.
Attachment #405792 -
Flags: review?(nelson) → review?(emaldona)
Assignee | ||
Comment 7•15 years ago
|
||
Fair enough -- clearly this isn't a blocker bug. :) This bug is just to scratch an itch -- to try and cut down on the number of build warnings generated by mozilla-central -- but I'm not arguing that this needs to be addressed ASAP or anything.
Comment 8•15 years ago
|
||
Comment on attachment 405792 [details] [diff] [review] fix: s/printf(foo)/printf("%s", foo)/ +1, using fputs would be nice but not required
Attachment #405792 -
Flags: review?(emaldona) → review+
Assignee | ||
Comment 9•15 years ago
|
||
Fixed up the previous patch to prefer fputs in all cases, except for with the "FPS" macro in nss/cmd/certutil/keystuff.c (where FPS is #defined as "fprintf(stderr,")
Attachment #405792 -
Attachment is obsolete: true
Attachment #409449 -
Flags: review?
Assignee | ||
Updated•15 years ago
|
Attachment #409449 -
Flags: review? → review?(emaldona)
Assignee | ||
Comment 10•15 years ago
|
||
diff from old patch to new patch is available here: http://hg.mozilla.org/users/dholbert_mozilla.com/simple-patches/rev/609d2aaa96ac
Comment 11•15 years ago
|
||
dholbert: bugzilla can do that for us: https://bugzilla.mozilla.org/attachment.cgi?oldid=405792&action=interdiff&newid=409449&headers=1
Comment 12•14 years ago
|
||
Bug 521679: Fix warnings: "format not a string literal and no format arguments" Patch contributed by Daniel Holbert <dholbert@mozilla.com>, r=nelson Checking in certutil/certext.c; new revision: 1.11; previous revision: 1.10 Checking in certutil/keystuff.c; new revision: 1.22; previous revision: 1.21 Checking in lib/secutil.c; new revision: 1.99; previous revision: 1.98 Checking in pk12util/pk12util.c; new revision: 1.43; previous revision: 1.42
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.7
Updated•14 years ago
|
Attachment #409449 -
Flags: review?(emaldona) → review+
You need to log in
before you can comment on or make changes to this bug.
Description
•