Wireshark · Ethereal-dev: Re: [Ethereal-dev] [Coverity] Possible Format String Vulnerabilites

[Todd Sabin <tsabin@xxxxxxxxxxxxx>]

Guy Harris <gharris@xxxxxxxxx> writes:

> Perhaps there's a way to get it to warn about non-constant format
> arguments - but as those are valid, too, either that'd have to require
> a special compiler option or there'd have to be some other way of
> suppressing it.

-Wformat=2 will warn about non-constant format strings.

I enabled that, built ethereal from scratch, and got hundreds of
warnings (including the one Coverity pointed out).  I didn't look at
all of the warnings, but most of the ones I did look at would be
trivially fixed by adding "%s" as the format string.  The one or two
that weren't obvious looked like they could be worked around without
too much effort.

I'd suggest adding that warning to ethereal's default build options.
(And fixing the warnings, obviously.  There's probably at least one
exploitable one in there.)


Todd

p.s.  In case anyone cares, the Makefile is still broken with respect
to dependencies.  (It's hard to understand how anyone wouldn't care,
but I reported this over a year and a half ago, and it's still true.)

-- 
Todd Sabin                                          <tsabin@xxxxxxxxxxxxx>