[tor-bugs] #9066 [Tor]: use a macro like CHECK_PRINTF for tor_sscanf
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Jun 15 03:30:10 UTC 2013
#9066: use a macro like CHECK_PRINTF for tor_sscanf
--------------------+-------------------------------------------------------
Reporter: x3j11 | Owner:
Type: defect | Status: new
Priority: normal | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version: Tor: 0.2.4.12-alpha
Keywords: | Parent:
Points: | Actualpoints:
--------------------+-------------------------------------------------------
Comment(by andrea):
The particular test in question appears to be an OpenBSD-specific
extension; an examination of gcc/c-family/c-format.c in the latest
gcc-4.8.1, where the __attribute(format())__ warnings are implemented,
shows no sign of checking string argument widths, and grepping the source
for 'format string size' turns up negative.
I'll also note that in the particular instance reported in test_util.c,
the function actually is provably safe, since the string being sscanf()ed
is shorter than the buffer even though the field precision in the format
string is longer. This is a case of a modified gcc implementing a
stricter test than standard gcc, but not precisely enough to notice that
the particular instance is safe.
I do not believe it would be possible for a compiler to support doing this
test in a way that would recognize this, though, since
__attribute(format(scanf,...))__ only tells the compiler which is the
format string and where the formatted arg sequence starts. There's no way
for it know this is an sscanf()-alike more specifically and which is the
input string, and reason from there even if the input string is a constant
which would make it possible to draw that conclusion if it did know.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9066#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list