Menu
We have a Coverity bug for this line of code:
snprintf( tempStr, size, testStrings[testID], A2DtoV(testResults[testID].value),
A2DtoV(testResults[testID].min),A2DtoV(testResults[testID].max));
The error says:
non_const_printf_format_string: "format string is not a string literal,
potential security vulnerability if user controlled"
I changed testStrings to a const, but that didn't do anything:
static const char *testStrings[] = {"1", ... etc};
Any ideas as to what this error is really saying?
281
The Format String exploit occurs when the submitted data of an input string is evaluated as a command by the application.
A format string vulnerability is a bug where user input is passed as the format argument to printf , scanf , or another function in that family. The format argument has many different specifies which could allow an attacker to leak data if they control the format argument to printf .
In buffer overflow, the programmer fails to keep the user input between bounds, and attackers exploit that to overflow their input to write to adjacent memory locations. But in format string exploits, user-supplied input is included in the format string argument.
Preventing format string attacks means preventing format string vulnerabilities, which implies keeping certain things in mind while coding your C application. If possible, make the format string a constant. If the above isn't possible, then always specify a format string as part of the program rather than as an input.
Your code is fine.
The issue is that if you pass a string that is user controlled as a printf format string, security bugs can arise.
For instance, printf(userName);
Where userName is supplied by the user, a user can pass "%s", and get your function to start accessing data at a random address on the stack, which could result in a crash. printf will try to pop additional parameters off the stack, resulting in a stack corruption. Denial of service attack like this is probably the best case, information can be disclosed by getting printf to dump out values on the stack and there are even ways to get printf style functions to modify the return address on the stack.
Since your strings are not user controlled, it is safe to ignore this message. The typical fix is to replace the printf example I gave with printf("%s", userName);, which would not appear to help in your case because the const strings appear to contain format strings.
Wikipedia has more on format string vulnerabilities here: http://en.wikipedia.org/wiki/Format_string_vulnerabilities
150
Idea is that value of testStrings[testID] can be changed somehow to include extra format specifiers.
Because snprintf() has no possibility to check whether number of parameters match the number of format specifiers it will just take next address from stack to use as value for next format specifier and weird things can happen then.
It is known as format string attack.
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
