Re: lintian 1.11.5 uploaded
On Mon, Oct 02, 2000 at 11:05:17PM +0100, Colin Watson wrote:
> Andreas Schuldei <andreas@schuldei.org> wrote:
> >* Sean 'Shaleh' Perry (shaleh@valinux.com) [001002 22:31]:
> >> Now is your time to make your wishes. They may even come true.
> >I am thinking about a lexical scanner to detect security sensitiv code wich
> >might for example create opportunities to smash the stack etc.
>
> I was thinking about this too over the last couple of days, in the
> specific context of format string attacks. I concluded that doing it
> well probably required too much knowledge of C for just a lexical
> scanner (there'd be a lot of both false positives and false negatives
> with the best approaches I can come up with), but that some new warnings
> in gcc would do a much better job.
>
> gcc already warns when you get the argument types to printf() wrong -
> other vague possibilities might be extending this to other format-string
> functions and warning about non-const format arguments (no flames
> please, I know I haven't had time to think this out properly yet).
It's already there. At least in CVS gcc, it is. See the discussion of
-Wformat=2 over the past few weeks on the GCC lists (gcc.gnu.org).
Dan
/--------------------------------\ /--------------------------------\
| Daniel Jacobowitz |__| SCS Class of 2002 |
| Debian GNU/Linux Developer __ Carnegie Mellon University |
| dan@debian.org | | dmj+@andrew.cmu.edu |
\--------------------------------/ \--------------------------------/
Reply to: