Re: Secure C programming & format strings
From: James (hoosier45678@hotmail.com)
Date: 04/11/03
- Next message: dean: "Re: Exploit Database"
- Previous message: James: "Re: Secure C programming & format strings"
- In reply to: Walter Roberson: "Re: Secure C programming & format strings"
- Next in thread: Barry Margolin: "Re: Secure C programming & format strings"
- Reply: Barry Margolin: "Re: Secure C programming & format strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: James <hoosier45678@hotmail.com> Date: Thu, 10 Apr 2003 21:43:43 -0700
On 11 Apr 2003 00:17:40 GMT, roberson@ibd.nrc-cnrc.gc.ca (Walter
Roberson) wrote:
>In article <b74um7$sfh$1@tabloid.uwaterloo.ca>,
>David Canzi <dmcanzi@watserv1.uwaterloo.ca> wrote:
>:I have a hunch. Try this experiment. Change that fprintf to:
>: fprintf(stderr, somversion);
>
>:Change the declaration to:
>: const char *somversion = "Stack-0-Mibs Version 0.30 - \n";
>
>:Run the code auditor again.
>
>:If my hunch is right, I hope fixing the problem doesn't involve doing
>:the above operation on all your printfs.
>
> fprintf(stderr, (const char *) "Stack-0-Mibs Version 0.30 - \n" );
>
>perhaps.
I know for certain that string literals are constant by default,
unless they are used in an array initialization (char* s1="abc" is
constant, but char s2[] = "abc" is not)
But in any case, it is the "constant-ness" of the format string, and
not the string itself, that the tool is tagging incorrectly(?)
- Next message: dean: "Re: Exploit Database"
- Previous message: James: "Re: Secure C programming & format strings"
- In reply to: Walter Roberson: "Re: Secure C programming & format strings"
- Next in thread: Barry Margolin: "Re: Secure C programming & format strings"
- Reply: Barry Margolin: "Re: Secure C programming & format strings"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
