Sergio Belkin wrote:
Regarding to " format not a string literal and no format
arguments
[-Werror=format-security]" message.
Afaik instructions of kind printf(format,var1,var2,...) always be fail,
since it can't verify in compile time that the format includes the number
of variables that appears later.
GCC does exactly that. It has special knowledge of the printf family of
functions and verifies that the arguments match the format.
If you define a function that takes printf-like parameters, then you
should include an attribute like this:
void log(foo f, const char *format, ...) __attribute__((format(printf, 2, 3)));
Then GCC will verify that the arguments match the format in calls to
your function too.
If the developer does not use entered formats by the user, the
exploit
disappear, doesn't it?
Is it guaranteed that the string can never under any circumstances ever
possibly contain a percent sign? If so, it's probably safe – in the
current version of the program, but who knows what changes might be
made in the distant future?
Tell upstream to just add "%s" as the format string and be done with
it. If they find that burdensome, then that's because they made a bad
choice of programming language.
Björn Persson