Zandronum Chat on our Discord Server Get the latest version: 3.1
Source Code

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003498Doomseeker[All Projects] Securitypublic2018-09-19 13:292019-07-30 10:13
ReporterWubTheCaptain 
Assigned ToPol M 
PrioritylowSeveritytweakReproducibilityalways
StatusclosedResolutionfixed 
Platformamd64OSOpenBSDOS Version6.4-current
Product Version1.1 
Target Version1.3Fixed in Version1.3 
Summary0003498: GCC compiler warns of unsafe C/C++ string functions used instead of safer alternatives
DescriptionDuring source compile on OpenBSD, the gcc compiler prints warnings about use of unsafe functions and suggests to replace them (irregardless of if their use is safe or unsafe in this scenario).

[ 83%] Linking CXX executable ../../doomseeker
CMakeFiles/doomseeker.dir/scanner.cpp.o: In function `Scanner::scriptMessage(Scanner::MessageLevel, char 
const*, ...) const':
scanner.cpp:(.text+0x3b63): warning: sprintf() is often misused, please use snprintf()
/usr/local/lib/qt5/./libQt5Core.so.2.2: warning: rand_r() is not random, it is deterministic.
CMakeFiles/doomseeker.dir/random.cpp.o: In function `Random::nextUShort(unsigned short)':
random.cpp:(.text+0x14f): warning: rand() may return deterministic values, is that what you want?
/usr/X11R6/lib/libGL.so.17.1: warning: random() may return deterministic values, is that what you want?

/usr/local/lib/libglib-2.0.so.4201.0: warning: stpcpy() is dangerous; do not use it
/usr/local/lib/libglib-2.0.so.4201.0: warning: strcpy() is almost always misused, please use strlcpy()

/usr/local/lib/libglib-2.0.so.4201.0: warning: vsprintf() is often misused, please use vsnprintf()
/usr/local/lib/libglib-2.0.so.4201.0: warning: strcat() is almost always misused, please use strlcat()
Steps To Reproducegcc 4.2.1 on OpenBSD (with gcc-local(1) patches). Something like this:

pkg_add cmake mercurial qt5 # as superuser privileges
mkdir -p $HOME/.local/src/ && cd $HOME/.local/src/
hg clone'https://bitbucket.org/Doomseeker/doomseeker/ [^]'
mkdir -p /tmp/doomseeker && cd /tmp/doomseeker
Qt5Widgets_DIR=/usr/local/lib/qt5/cmake/Qt5Widgets/
Qt5LinguistTools_DIR=/usr/local/lib/qt5/cmake/Qt5LinguistTools/
Qt5Multimedia_DIR=/usr/local/lib/qt5/cmake/Qt5Multimedia
Qt5Xml_DIR=/usr/local/lib/qt5/cmake/Qt5Xml
export Qt5Widgets_DIR Qt5LinguistTools_DIR Qt5Multimedia_DIR Qt5Xml_DIR
export CPATH=$CPATH:/usr/local/include
cmake $HOME/.local/src/doomseeker/
CC=gcc CXX=g++ make -j4
Additional InformationThe following files create warnings in Doomseeker:

  • src/core/scanner.cpp
  • src/core/random.cpp
Attached Files

- Relationships
child of 0003499assignedPol M Port Doomseeker to OpenBSD 

-  Notes
User avatar (0019575)
WubTheCaptain (reporter)
2018-09-19 17:49

Might've been clang, actually. Anyway...
User avatar (0019607)
WubTheCaptain (reporter)
2018-09-22 01:21

Also tools/updaterevision/updaterevision.c's main function, strcpy().
User avatar (0020267)
Filystea (reporter)
2018-12-17 08:49

clang is default openbsd compiler.

Glad there are people using my fav sys ;-)

Btw.

This is not that important. The problem is:

You still can only compile servers because of fmod crap.
Most times you will be dealing with malloc.h changing to stdlib.h;-)

I had a rage topic about it once. Did compile for sake of compiling but never used.

openbsd for life <3
User avatar (0020276)
Filystea (reporter)
2018-12-20 17:33

I belive I was not clear enough. Lock this up. those warnings are just PROPOSITIONS.

Seriusly. I write quite a bit of C and this is silly.
strlxxx is not standard. Ofc strcpy can do damage if programer fucks up but the function is not bad. Even gets is not bad ( yeah - I just said it ).
Those are just crappy clang warnings.

And openbsd did not pick clang because it's somehow *more secure makes more secure code or what ever *.
User avatar (0020282)
Filystea (reporter)
2018-12-25 18:27
edited on: 2018-12-25 18:28

Actually it kind of bugged me. Is that really clang so I went on #openbsd free-node and seems this is openbsd addon for linker.

Anyway strlcpy is lame to use.
Use strncpy strnlen etc. Just pass buff_size - 1 and have the last byte set to 0/nul. Using 'n' family also fixes the warning. If anyone cares. hue hue ;-)

User avatar (0020693)
Pol M (developer)
2019-05-26 14:04

This is warned exclusively by OpenBSD, regardless of the compiler.
srand() is called previously to rand(), so for the exclusive usage of creating random strings it would be more than OK. That said, since we are using C++ 11, I'll change it to use the std::random library, which is better and provides lots of options. For reference, I'm not using QRandomGenerator because it was introduced in 5.10, and windows builds may not work.

strcpy() is always used in safe situations, there is nothing to change.
src/core/main.cpp:724
tools/updaterevision/updaterevision.c:114
sprintf() is also OK, so I also see no point on changing it.
tools/updateinstaller/src/UpdateDialogAscii.cpp:698
User avatar (0020702)
Pol M (developer)
2019-05-28 16:30
edited on: 2019-05-28 16:31

The needed change on the random class is done

User avatar (0020896)
Pol M (developer)
2019-07-20 01:15

Resolving since there is not much to check. Code works ¯\_(ツ)_/¯

Issue Community Support
This issue is already marked as resolved.
If you feel that is not the case, please reopen it and explain why.
Supporters: No one explicitly supports this issue yet.
Opponents: No one explicitly opposes this issue yet.

- Issue History
Date Modified Username Field Change
2018-09-19 13:29 WubTheCaptain New Issue
2018-09-19 13:29 WubTheCaptain OS => OpenBSD
2018-09-19 13:29 WubTheCaptain OS Version => 6.4-current
2018-09-19 13:29 WubTheCaptain Platform => amd64
2018-09-19 17:49 WubTheCaptain Note Added: 0019575
2018-09-22 01:21 WubTheCaptain Note Added: 0019607
2018-09-29 15:07 WubTheCaptain Severity minor => tweak
2018-10-05 06:44 WubTheCaptain Target Version => 1.2
2018-10-09 14:27 WubTheCaptain Target Version 1.2 =>
2018-12-17 05:21 WubTheCaptain Category Bug => Security
2018-12-17 08:49 Filystea Note Added: 0020267
2018-12-20 17:33 Filystea Note Added: 0020276
2018-12-21 06:54 WubTheCaptain Priority normal => low
2018-12-25 18:27 Filystea Note Added: 0020282
2018-12-25 18:28 Filystea Note Edited: 0020282 View Revisions
2018-12-25 18:28 Filystea Note Edited: 0020282 View Revisions
2019-01-06 06:31 WubTheCaptain Assigned To => WubTheCaptain
2019-01-06 06:31 WubTheCaptain Status new => acknowledged
2019-05-21 22:51 Pol M Assigned To WubTheCaptain => Pol M
2019-05-21 22:51 Pol M Status acknowledged => assigned
2019-05-21 22:52 Pol M Relationship added child of 0003499
2019-05-26 14:04 Pol M Note Added: 0020693
2019-05-28 16:30 Pol M Note Added: 0020702
2019-05-28 16:30 Pol M Status assigned => needs testing
2019-05-28 16:31 Pol M Note Edited: 0020702 View Revisions
2019-05-30 06:12 WubTheCaptain Target Version => 1.3
2019-07-20 01:15 Pol M Note Added: 0020896
2019-07-20 01:16 Pol M Status needs testing => resolved
2019-07-20 01:16 Pol M Fixed in Version => 1.3
2019-07-20 01:16 Pol M Resolution open => fixed
2019-07-30 10:13 WubTheCaptain Status resolved => closed






Questions or other issues? Contact Us.

Links


Copyright © 2000 - 2024 MantisBT Team
Powered by Mantis Bugtracker