[15941] in bugtraq
Re: StackGuard with ... Re: [Paper] Format bugs.
daemon@ATHENA.MIT.EDU (stanislav shalunov)
Mon Jul 24 21:13:43 2000
Message-ID: <877labmfwz.fsf@cain.internet2.edu>
Date: Mon, 24 Jul 2000 16:28:28 -0400
Reply-To: stanislav shalunov <shalunov@INTERNET2.EDU>
From: stanislav shalunov <shalunov@INTERNET2.EDU>
X-To: "Stephen J. Friedl" <friedl@MTNDEW.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: "Stephen J. Friedl"'s message of "Sat, 22 Jul 2000 16:21:08 -0700"
"Stephen J. Friedl" <friedl@MTNDEW.COM> writes:
> The first thing to do is turn on the damn compiler warnings, because more
> and more compilers actually do check printf-like parameters for you. GNU C
> does this, as do numerous commercial compilers:
>
> $ cat test.c
> #include <stdio.h>
>
> int main(void)
> {
> printf("i = %d\n"); <--- missing parameter!
> }
> $ gcc -Wall test.c <-- try again with real warnings
> test.c: In function `main':
> test.c:5: warning: too few arguments for format
Turning on compiler warnings is nice, of course, and I always have at
least -Wall -W -pedantic on with GCC.
However, in this case compiler warnings buy you nothing.
The most trivial examples aren't dealt with properly:
$ cat try.c
#include <stdio.h>
int
main()
{
char buf[1024];
fgets(buf, sizeof buf, stdin);
printf(buf);
exit(0);
}
$ gcc -Wall -W -pedantic try.c
$ ./a.out
%p
0xa7025
$
