StarlingX

Unable to compile stx-metal project with -Werror=format-security flag

Bug #1803608 reported by Luis Botello
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Won't Fix
Medium
Victor Manuel Rodriguez Bahena

Bug Description

Title
-----
Unable to compile pingUtil.cpp with -Werror=format-security flag

Brief Description
-----------------
Function pingUtil.cpp can not be compiled if flag -Werror=format-security is set on Makefile.

Severity
--------
Minor: System/Feature is usable but with security issues.

Steps to Reproduce
------------------
Add -Werror=format-security flag into mtce-common/src/common/Makefile

Expected Behavior
------------------
Project compilation should be completed with no issues.

Actual Behavior
----------------
Project can not be compiled if flag is set.

Reproducibility
---------------
100%

System Configuration
--------------------
All compilation environments

Branch/Pull Time/Commit
-----------------------
Master / November 14 2018, Commit: 0d9bb5e

Timestamp/Logs
--------------
pingUtil.cpp:207:74: error: format not a string literal and no format arguments [-Werror=format-security]
   snprintf ( &ping4_tx.msg[0], PING_MESSAGE_LEN, ping_info.message );
                    ^
pingUtil.cpp:207:74: error: format not a string literal and no format arguments [-Werror=format-security]
pingUtil.cpp:229:74: error: format not a string literal and no format arguments [-Werror=format-security]
   snprintf ( &ping6_tx.msg[0], PING_MESSAGE_LEN, ping_info.message );
                    ^
pingUtil.cpp:229:74: error: format not a string literal and no format arguments [-Werror=format-security]

Tags: stx.security
Revision history for this message
Luis Botello (lbotell) wrote :

Same issue is also seen on rmonHdlr.cpp, while compiling with -Werror=format-security flag, caused by snprintf function. Adding a file containing whole error information: rmonHdlr.log

summary: - Unable to compile pingUtil.cpp with -Werror=format-security flag
+ Unable to compile stx-metal project with -Werror=format-security flag
Cindy Xie (xxie1)
tags: added: stx.security
Bruce Jones (brucej)
information type: Private Security → Public Security
Revision history for this message
Victor Manuel Rodriguez Bahena (vm-rod25) wrote :

commit 1db3320c3c708089ee9ae9297d91761eed4049a5 (HEAD -> master)
Author: Victor Rodriguez <email address hidden>
Date: Wed Nov 28 08:10:33 2018 -0600

    Try to fix security bug 1803621

    https://bugs.launchpad.net/starlingx/+bug/1803621

    Signed-off-by: Victor Rodriguez <email address hidden>

diff --git a/mtce-common/src/common/pingUtil.cpp b/mtce-common/src/common/pingUtil.cpp
index d8afdc1..24eb664 100644
--- a/mtce-common/src/common/pingUtil.cpp
+++ b/mtce-common/src/common/pingUtil.cpp
@@ -203,8 +203,7 @@ int pingUtil_send ( ping_info_type & ping_info )

         ping4_tx.hdr.un.echo.id = htons(ping_info.identity) ;
         ping4_tx.hdr.un.echo.sequence = htons(ping_info.sequence) ;
-
- snprintf ( &ping4_tx.msg[0], PING_MESSAGE_LEN, ping_info.message );
+ snprintf (&ping4_tx.msg[0],"%s",PING_MESSAGE_LEN, ping_info.message);

         /* checksum should not be converted to htons
          * - will get (wrong icmp cksum ) */

Ken Young (kenyis)
Changed in starlingx:
status: New → Triaged
assignee: nobody → Victor Manuel Rodriguez Bahena (vm-rod25)
importance: Undecided → Medium
Revision history for this message
Ken Young (kenyis) wrote :

These launchpad is really a feature which is covered by the following stories:
1. https://storyboard.openstack.org/#!/story/2004656
2. https://storyboard.openstack.org/#!/story/2004380

Changed in starlingx:
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.