CMFSUPPORT-3863. COVERITY TEST. DO NOT MERGE #49
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -17,9 +17,10 @@ | |
| ########################################################################## | ||
| AM_CFLAGS = -D_ANSC_LINUX | ||
| AM_CFLAGS += -D_ANSC_USER | ||
| AM_CFLAGS += -Wno-format | ||
| AM_LDFLAGS = -lccsp_common -lsysevent -lwebconfig_framework -lmsgpackc -ltrower-base64 | ||
|
|
||
| AM_CPPFLAGS = -Wall -Wno-format | ||
|
There was a problem hiding this comment. Replacing -Werror with -Wno-format removes the "warnings as errors" enforcement and suppresses format string warnings. This is problematic for two reasons: (1) it allows format string bugs to go undetected, including the critical bug on line 294 of cosa_adv_security_internal.c, and (2) it removes the previous policy of treating all warnings as errors, which weakens code quality enforcement. |
||
| ACLOCAL_AMFLAGS = -I m4 | ||
| hardware_platform = i686-linux-gnu | ||
|
|
||
|
|
||
| Original file line number | Diff line number | Diff line change | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -294,7 +294,7 @@ | ||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||
| if ((file = fopen(fpath, "w"))) | |||||||||||||||||||||||||||||||||
| { | |||||||||||||||||||||||||||||||||
| fprintf(file,"%s%s",str); | |||||||||||||||||||||||||||||||||
Check failureCode scanning / Coverity Missing argument to printf format specifier High Check noticeCode scanning / Coverity Printf arg count mismatch Low |
|||||||||||||||||||||||||||||||||
Check warningCode scanning / CodeQL Too few arguments to formatting function Medium
Copilot AutofixAI 5 days ago In general, to fix “too few arguments to formatting function” issues, ensure that the number and types of arguments after the format string exactly match the conversion specifiers in the format. You can either (1) adjust the format string to use fewer specifiers, or (2) pass additional arguments so that every specifier has a corresponding value. In this specific case in fprintf(file,"%s%s",str);uses a format string with two fprintf(file, "%s", str);No new headers or helper functions are required; we just correct the format string at line 297 in the shown snippet. Everything else in the function can remain unchanged.
Suggested changeset
1
source/AdvSecurityDml/cosa_adv_security_internal.c
Copilot is powered by AI and may make mistakes. Always verify output.
There was a problem hiding this comment. The fprintf format string has two format specifiers ("%s%s") but only one argument (str) is provided. This will cause undefined behavior as fprintf will attempt to read a second argument from the stack that doesn't exist. The format string should be "%s" with one argument, not "%s%s".
Suggested change
Contributor
There was a problem hiding this comment. Coverity Issue - Printf arg count mismatchthe format string requires additional arguments Medium Impact, CWE-685
Contributor
There was a problem hiding this comment. Coverity Issue - Missing argument to printf format specifierNo argument for format specifier "%s". Medium Impact, CWE-685 |
|||||||||||||||||||||||||||||||||
| fclose(file); | |||||||||||||||||||||||||||||||||
| return 1; | |||||||||||||||||||||||||||||||||
| } | |||||||||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding -Wno-format suppresses compiler warnings for format string mismatches, which would hide serious bugs like format string vulnerabilities and incorrect argument counts. This flag is masking the bug in line 294 of cosa_adv_security_internal.c where fprintf has mismatched format specifiers and arguments. Format warnings should not be suppressed as they catch critical security and correctness issues.