Opened 7 years ago
Last modified 6 years ago
#140 new defect
Fix format-nonliteral warnings
Reported by: | Julien ÉLIE | Owned by: | |
---|---|---|---|
Priority: | low | Milestone: | 2.7.0 |
Component: | general | Version: | 2.6.0 |
Severity: | normal | Keywords: | |
Cc: |
Description
To build with GCC "-Wformat-nonliteral" warning on, [9911] suppressed a few checks in the code, waiting to be properly fixed.
For instance:
#pragma GCC diagnostic ignored "-Wformat-nonliteral" snprintf(address, sizeof(address), save, name); #pragma GCC diagnostic warning "-Wformat-nonliteral"
GCC 4.4.7 cannot build INN because pragmas are not allowed inside functions for old GCC versions.
So these pragmas were suppressed in STABLE 2.6 with [10040].
They are still present in CURRENT 2.7. They need being fixed before the release of 2.7.0.
Here is what Russ Allbery suggests:
"printf provides a full formatting language, of which INN
only wants one very specific feature. Using it this way is questionable
from a security standpoint, since any bogus moderator pattern could
produce all sorts of buffer overflow problems and other issues.
I think the best fix is to write a function that expands the address by
doing something like:
- Determine the length of the full address as the length of the pattern, plus the length of the newsgroup name if %s was found in the pattern, minus the count of occurrences of %% in the pattern.
- Allocate enough memory to hold the result as a string.
- Copy the pattern to the output buffer until %% or %s is found, copying % for the former and the mangled group name for the latter.
This requires writing some irritating string manipulation code in C, but
one only has to do it once, throw some test programs at it, and then there
are no more worries about someone finding a way to abuse INN's reuse of
sprintf for something it wasn't really intended for."
The format-nonliteral warning has been silenced for older GCC releases with [10217]. This ticket is therefore no longer blocking for INN 2.7.0.