search

traviscross / mtr

Official repository for mtr, a network diagnostic tool
http://www.bitwizard.nl/mtr/
GNU General Public License v2.0
2.64k stars 337 forks source link

ui/curses: always use "%s"-style format for printf()-style functions #411

Closed trofi closed 2 years ago

trofi commented 2 years ago

ncuses-6.3 added printf-style function attributes and now makes it easier to catch cases when user input is used in palce of format string when built with CFLAGS=-Werror=format-security:

ui/curses.c:765:42:
  error: format not a string literal and no format arguments [-Werror=format-security]
  765 |         mvprintw(rowstat - 1, startstat, msg);
      |                                          ^~~

Let's wrap all the missing places with "%s" format.

rewolff commented 2 years ago

Can you also check recent "issues"? IIRC someone also noted a very similar problem recently. I think this was not exactly what you fixed today.

trofi commented 2 years ago

Skimmed through a few recent issues and attempted to find similar warning text or format string crashes. Found nothing similar.

rewolff commented 2 years ago

Thanks a lot. :-) In hindsight it might have been another project where that came by.

samueloph commented 2 years ago

I believe it was from Debian: https://bugs.debian.org/997194

I will backport this fix in case there isn't a new release soon.

Thanks

pabs3 commented 2 years ago

@rewolff mtr will soon be removed from Debian testing/bookworm because of this issue. Would it be possible to make a new release? Alternatively @samueloph could backport the fix to Debian.

rewolff commented 2 years ago

At some point in time I had a release script that would automate everything around a release. That way I wouldn't forget to put out the diff or the tarball or whatever. That broke and then it's taken some time to fix again. Apart from the script thinking it needed to put out 0.94, I think it works again. I've synced it up and I think it works again. This makes it way more easy to make a release. (the only issue now is that the machine the script thinks is the only one that works... is being decomissioned....)

pabs3 commented 2 years ago

Thanks for fixing the release script, looking forward to the release.

I hope there is a replacement for the to be decomissioned machine!

-- bye, pabs

https://bonedaddy.net/pabs3/

samueloph commented 2 years ago

Message ID: @.***>THan

Thank you everyone!

I've uploaded 0.95-1 to Debian unstable.

Cheers,

-- Samuel Henrique