Re: glusterfs-3.3.0qa34 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am 10.04.2012 22:10, schrieb Jeff Darcy:
> On 04/10/2012 03:59 PM, Patrick Matthäi wrote:
>> The "problem" is, that the % substitution is missing, so:
>>
>> gf_log (this->name, GF_LOG_ERROR, msg);
>> should become:
>> gf_log (this->name, GF_LOG_ERROR, "%s", msg);
>>
>> I didn't checked if this was introduced in other places, too.
>>
>> In 3.2.5 there was a simmilar fault, which my co-maintainer of the
>> glusterfs packaging has been fixed:
>> http://review.gluster.com/#change,2598
> 
> Yes, it's easy to work around, and patches to do just that would be welcome.
> I'll be the first to approve them.  OTOH, false positives are the bane of any
> effort to improve software quality via static analysis.  The fact that gcc has
> now generated two false positives for the same non-problem suggests that its
> format-security diagnostics are not the right basis for such an effort.

I am currently on patching, since I have got two patches now and I am on
my third buildd run (just building on my cow-power-notebook atm) I may
need some minutes ;)

IMHO at the above code it is a false-positive, but in general the
warning/fatal is right, so that programmers use such functions in an
secure manner from the beginning, like using prepared SQL statements
also if there query is static..
But this is too much for this thread ;-)


-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: pmatthaei@xxxxxxxxxx
        patrick@xxxxxxxxxxxxx
*/

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Gluster Users]     [Ceph Users]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux