Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: StackGuard with ... Re: [Paper] Format bugs.

From: stanislav shalunov <shalunov () INTERNET2 EDU>
Date: Mon, 24 Jul 2000 16:28:28 -0400
"Stephen J. Friedl" <friedl () MTNDEW COM> writes:


The first thing to do is turn on the damn compiler warnings, because more
and more compilers actually do check printf-like parameters for you. GNU C
does this, as do numerous commercial compilers:

         $ cat test.c
         #include <stdio.h>

         int main(void)
         {
                 printf("i = %d\n");             <--- missing parameter!
         }
         $ gcc -Wall test.c      <-- try again with real warnings
         test.c: In function `main':
         test.c:5: warning: too few arguments for format


Turning on compiler warnings is nice, of course, and I always have at
least -Wall -W -pedantic on with GCC.

However, in this case compiler warnings buy you nothing.

The most trivial examples aren't dealt with properly:

$ cat try.c
#include <stdio.h>

int
main()
{
        char buf[1024];
        fgets(buf, sizeof buf, stdin);
        printf(buf);
        exit(0);
}
$ gcc -Wall -W -pedantic try.c
$ ./a.out
%p
0xa7025
$
Previous By Date Next
Previous By Thread Next

Current thread: