MantisBT - Doomseeker |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0003498 | Doomseeker | [All Projects] Security | public | 2018-09-19 13:29 | 2019-07-30 10:13 |
|
| Reporter | WubTheCaptain | |
| Assigned To | Pol M | |
| Priority | low | Severity | tweak | Reproducibility | always |
| Status | closed | Resolution | fixed | |
| Platform | amd64 | OS | OpenBSD | OS Version | 6.4-current |
| Product Version | 1.1 | |
| Target Version | 1.3 | Fixed in Version | 1.3 | |
|
| Summary | 0003498: GCC compiler warns of unsafe C/C++ string functions used instead of safer alternatives |
| Description | During source compile on OpenBSD, the gcc compiler prints warnings about use of unsafe functions and suggests to replace them (irregardless of if their use is safe or unsafe in this scenario).
[ 83%] Linking CXX executable ../../doomseeker
CMakeFiles/doomseeker.dir/scanner.cpp.o: In function `Scanner::scriptMessage(Scanner::MessageLevel, char
const*, ...) const':
scanner.cpp:(.text+0x3b63): warning: sprintf() is often misused, please use snprintf()
/usr/local/lib/qt5/./libQt5Core.so.2.2: warning: rand_r() is not random, it is deterministic.
CMakeFiles/doomseeker.dir/random.cpp.o: In function `Random::nextUShort(unsigned short)':
random.cpp:(.text+0x14f): warning: rand() may return deterministic values, is that what you want?
/usr/X11R6/lib/libGL.so.17.1: warning: random() may return deterministic values, is that what you want?
/usr/local/lib/libglib-2.0.so.4201.0: warning: stpcpy() is dangerous; do not use it
/usr/local/lib/libglib-2.0.so.4201.0: warning: strcpy() is almost always misused, please use strlcpy()
/usr/local/lib/libglib-2.0.so.4201.0: warning: vsprintf() is often misused, please use vsnprintf()
/usr/local/lib/libglib-2.0.so.4201.0: warning: strcat() is almost always misused, please use strlcat() |
| Steps To Reproduce | gcc 4.2.1 on OpenBSD (with gcc-local(1) patches). Something like this:
pkg_add cmake mercurial qt5 # as superuser privileges
mkdir -p $HOME/.local/src/ && cd $HOME/.local/src/
hg clone'https://bitbucket.org/Doomseeker/doomseeker/ [^]'
mkdir -p /tmp/doomseeker && cd /tmp/doomseeker
Qt5Widgets_DIR=/usr/local/lib/qt5/cmake/Qt5Widgets/
Qt5LinguistTools_DIR=/usr/local/lib/qt5/cmake/Qt5LinguistTools/
Qt5Multimedia_DIR=/usr/local/lib/qt5/cmake/Qt5Multimedia
Qt5Xml_DIR=/usr/local/lib/qt5/cmake/Qt5Xml
export Qt5Widgets_DIR Qt5LinguistTools_DIR Qt5Multimedia_DIR Qt5Xml_DIR
export CPATH=$CPATH:/usr/local/include
cmake $HOME/.local/src/doomseeker/
CC=gcc CXX=g++ make -j4 |
| Additional Information | The following files create warnings in Doomseeker:
- src/core/scanner.cpp
- src/core/random.cpp
|
| Tags | No tags attached. |
| Relationships | | child of | 0003499 | assigned | Pol M | Port Doomseeker to OpenBSD |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2018-09-19 13:29 | WubTheCaptain | New Issue | |
| 2018-09-19 13:29 | WubTheCaptain | OS | => OpenBSD |
| 2018-09-19 13:29 | WubTheCaptain | OS Version | => 6.4-current |
| 2018-09-19 13:29 | WubTheCaptain | Platform | => amd64 |
| 2018-09-19 17:49 | WubTheCaptain | Note Added: 0019575 | |
| 2018-09-22 01:21 | WubTheCaptain | Note Added: 0019607 | |
| 2018-09-29 15:07 | WubTheCaptain | Severity | minor => tweak |
| 2018-10-05 06:44 | WubTheCaptain | Target Version | => 1.2 |
| 2018-10-09 14:27 | WubTheCaptain | Target Version | 1.2 => |
| 2018-12-17 05:21 | WubTheCaptain | Category | Bug => Security |
| 2018-12-17 08:49 | Filystea | Note Added: 0020267 | |
| 2018-12-20 17:33 | Filystea | Note Added: 0020276 | |
| 2018-12-21 06:54 | WubTheCaptain | Priority | normal => low |
| 2018-12-25 18:27 | Filystea | Note Added: 0020282 | |
| 2018-12-25 18:28 | Filystea | Note Edited: 0020282 | bug_revision_view_page.php?bugnote_id=20282#r12332 |
| 2018-12-25 18:28 | Filystea | Note Edited: 0020282 | bug_revision_view_page.php?bugnote_id=20282#r12333 |
| 2019-01-06 06:31 | WubTheCaptain | Assigned To | => WubTheCaptain |
| 2019-01-06 06:31 | WubTheCaptain | Status | new => acknowledged |
| 2019-05-21 22:51 | Pol M | Assigned To | WubTheCaptain => Pol M |
| 2019-05-21 22:51 | Pol M | Status | acknowledged => assigned |
| 2019-05-21 22:52 | Pol M | Relationship added | child of 0003499 |
| 2019-05-26 14:04 | Pol M | Note Added: 0020693 | |
| 2019-05-28 16:30 | Pol M | Note Added: 0020702 | |
| 2019-05-28 16:30 | Pol M | Status | assigned => needs testing |
| 2019-05-28 16:31 | Pol M | Note Edited: 0020702 | bug_revision_view_page.php?bugnote_id=20702#r12602 |
| 2019-05-30 06:12 | WubTheCaptain | Target Version | => 1.3 |
| 2019-07-20 01:15 | Pol M | Note Added: 0020896 | |
| 2019-07-20 01:16 | Pol M | Status | needs testing => resolved |
| 2019-07-20 01:16 | Pol M | Fixed in Version | => 1.3 |
| 2019-07-20 01:16 | Pol M | Resolution | open => fixed |
| 2019-07-30 10:13 | WubTheCaptain | Status | resolved => closed |
|
Notes |
|
|
|
|
Might've been clang, actually. Anyway... |
|
|
|
|
|
Also tools/updaterevision/updaterevision.c's main function, strcpy(). |
|
|
|
|
clang is default openbsd compiler.
Glad there are people using my fav sys ;-)
Btw.
This is not that important. The problem is:
You still can only compile servers because of fmod crap.
Most times you will be dealing with malloc.h changing to stdlib.h;-)
I had a rage topic about it once. Did compile for sake of compiling but never used.
openbsd for life <3 |
|
|
|
|
I belive I was not clear enough. Lock this up. those warnings are just PROPOSITIONS.
Seriusly. I write quite a bit of C and this is silly.
strlxxx is not standard. Ofc strcpy can do damage if programer fucks up but the function is not bad. Even gets is not bad ( yeah - I just said it ).
Those are just crappy clang warnings.
And openbsd did not pick clang because it's somehow *more secure makes more secure code or what ever *. |
|
|
|
(0020282)
|
|
Filystea
|
2018-12-25 18:27
(edited on: 2018-12-25 18:28) |
|
Actually it kind of bugged me. Is that really clang so I went on #openbsd free-node and seems this is openbsd addon for linker.
Anyway strlcpy is lame to use.
Use strncpy strnlen etc. Just pass buff_size - 1 and have the last byte set to 0/nul. Using 'n' family also fixes the warning. If anyone cares. hue hue ;-)
|
|
|
|
(0020693)
|
|
Pol M
|
|
2019-05-26 14:04
|
|
This is warned exclusively by OpenBSD, regardless of the compiler.
srand() is called previously to rand(), so for the exclusive usage of creating random strings it would be more than OK. That said, since we are using C++ 11, I'll change it to use the std::random library, which is better and provides lots of options. For reference, I'm not using QRandomGenerator because it was introduced in 5.10, and windows builds may not work.
strcpy() is always used in safe situations, there is nothing to change.
src/core/main.cpp:724
tools/updaterevision/updaterevision.c:114
sprintf() is also OK, so I also see no point on changing it.
tools/updateinstaller/src/UpdateDialogAscii.cpp:698 |
|
|
|
(0020702)
|
|
Pol M
|
2019-05-28 16:30
(edited on: 2019-05-28 16:31) |
|
The needed change on the random class is done
|
|
|
|
(0020896)
|
|
Pol M
|
|
2019-07-20 01:15
|
|
|
Resolving since there is not much to check. Code works ¯\_(ツ)_/¯ |
|