Wireshark-dev: Re: [Wireshark-dev] Passing NULL to %s format specifiers
From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Thu, 16 Aug 2012 10:16:01 -0700
On 8/15/12 8:12 AM, Evan Huus wrote:
> On Wed, Aug 15, 2012 at 10:15 AM, Jeff Morriss
> <jeff.morriss.ws@xxxxxxxxx> wrote:
>> Evan Huus wrote:
>>>
>>> On Linux and most other operating systems I know of, passing a NULL to
>>> a %s format specifier is safe. On Solaris, as it turns out, it isn't
>>> [1].

It's a little more complex than that. The problem is present if the
system's C library doesn't handle passing NULL to %s AND GLib wasn't
compiled with "--enable-included-printf". This used to be the case for
Windows but was fixed a couple of years ago. It's still broken for
Solaris because the default for "enable-included-printf" is "auto", at
least according to the GLib sources. It seems like it should be "yes" in
order to provide consistent behavior across platforms or at least check
the behavior of passing NULL to %s.

Note that you can still segfault with printf("%s", NULL) on Linux since
gcc will use its builtin printf in that case.


> I'm a fan of a macro like Jakub mentioned as part of the old conversation:
> 
> http://www.wireshark.org/lists/wireshark-dev/201105/msg00205.html
> 
> If we go that route, perhaps someone can add a bit to checkAPIs that
> complains if it finds %s in a format string without the macro?

I'm OK with this but it seems like we should be able to get Coverity or
Clang to do the work for us. They're both pretty good at finding NULL
pointer dereferences.