curl-library
Obscure format string problems
Date: Sat, 18 Feb 2006 23:01:16 +0100
Hello,
I have found some obscure format string problems in various parts of cURL.
As usual, they are caused by using syslog() or *printf() functions and
putting a char array where you should use a format string.
One of them occurs in lib/http_negotiate.c, but fortunately the gss
function where data comes from seems to return rather fixed data, so it's
just IMHO slightly wrong code in cURL and no real problem, unless someone
changes that gss function in the future.
There are also some problems in the test suite, but that is probably just
meant for developers.
None of this is very important as far as I can see, but here is a patch
anyway, just because I'm picky.. Use it or ignore it.
// Ulf Härnhammar
--- lib/http_negotiate.c.old 2005-03-31 09:02:03.000000000 +0200
+++ lib/http_negotiate.c 2006-02-18 18:02:09.000000000 +0100
@@ -111,7 +111,7 @@ log_gss_error(struct connectdata *conn,
gss_release_buffer(&min_stat, &status_string);
} while (!GSS_ERROR(maj_stat) && msg_ctx != 0);
- infof(conn->data, buf);
+ infof(conn->data, "%s", buf);
}
int Curl_input_negotiate(struct connectdata *conn, char *header)
--- tests/server/sws.c.old 2005-09-15 22:22:43.000000000 +0200
+++ tests/server/sws.c 2006-02-18 18:16:38.000000000 +0100
@@ -199,7 +199,7 @@ int ProcessRequest(struct httprequest *r
else
sprintf(logbuf, "Got a *HUGE* request HTTP/%d.%d",
prot_major, prot_minor);
- logmsg(logbuf);
+ logmsg("%s", logbuf);
if(!strncmp("/verifiedserver", ptr, 15)) {
logmsg("Are-we-friendly question received");
@@ -231,7 +231,7 @@ int ProcessRequest(struct httprequest *r
sprintf(logbuf, "Requested test number %ld part %ld",
req->testno, req->partno);
- logmsg(logbuf);
+ logmsg("%s", logbuf);
filename = test2file(req->testno);
@@ -265,7 +265,7 @@ int ProcessRequest(struct httprequest *r
doc, &prot_major, &prot_minor) == 3) {
sprintf(logbuf, "Receiced a CONNECT %s HTTP/%d.%d request",
doc, prot_major, prot_minor);
- logmsg(logbuf);
+ logmsg("%s", logbuf);
if(prot_major*10+prot_minor == 10)
req->open = FALSE; /* HTTP 1.0 closes connection by default */
Received on 2006-02-18