Potential buffer overflows identified by GCC
Closed this issue · 1 comments
paravoid commented
Build environment
GCC: gcc (Debian 13.2.0-7) 13.2.0
*** CFLAGS_EXTRA =-fPIC -Wformat -Werror -Werror=format-security -Wsizeof-array-argument -Wextra -Werror=format-truncation=0 -Werror=char-subscripts -Wno-deprecated-declarations
*** LDFLAGS_EXTRA =
*** LDFLAGS_EXTRA_STATIC =
*** LD_LIBRARY_PATH =
*** LD_LIBRARY_PATH_BASIC =
*** CPPFLAGS = -Wdate-time -DFORTIFY_SOURCE=2
*** CFLAGS =-g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection
*** LDFLAGS =-Wl,-z,relro -Wl,-z,now
Results in the following build warnings, that honestly seem pretty serious (overflows etc.):
libipv6calc_db_wrapper_GeoIP2.c
gcc -c libipv6calc_db_wrapper_GeoIP2.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../..
libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_dbfilename’:
libipv6calc_db_wrapper_GeoIP2.c:580:51: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1024 [-Wformat-truncation=]
580 | snprintf(tempstring, sizeof(tempstring), "%s/%s", geoip2_db_dir, libipv6calc_db_wrapper_GeoIP2_db_file_desc[i].filename);
| ^~ ~~~~~~~~~~~~~
In file included from /usr/include/stdio.h:906,
from libipv6calc_db_wrapper_GeoIP2.c:11:
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_GeoIP2_dbfilename’ at libipv6calc_db_wrapper_GeoIP2.c:580:2:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 4097) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_database_info’:
libipv6calc_db_wrapper_GeoIP2.c:789:53: warning: ‘, created: ’ directive output may be truncated writing 11 bytes into a region of size between 1 and 1024 [-Wformat-truncation=]
789 | snprintf(tempstring, sizeof(tempstring), "%s, created: %s", resultstring, datastring);
| ^~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_GeoIP2_database_info’ at libipv6calc_db_wrapper_GeoIP2.c:789:2:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 12 and 2058 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_GeoIP2.c: In function ‘libipv6calc_db_wrapper_GeoIP2_wrapper_db_info_used’:
libipv6calc_db_wrapper_GeoIP2.c:542:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=]
542 | snprintf(tempstring, sizeof(tempstring), "%s / %s", geoip2_db_usage_string, info);
| ^~~
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_GeoIP2_wrapper_db_info_used’ at libipv6calc_db_wrapper_GeoIP2.c:542:5:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 4 or more bytes (assuming 1027) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_DBIP2.c
gcc -c libipv6calc_db_wrapper_DBIP2.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../..
libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_dbfilename’:
libipv6calc_db_wrapper_DBIP2.c:561:51: warning: ‘%s’ directive output may be truncated writing up to 4095 bytes into a region of size 1024 [-Wformat-truncation=]
561 | snprintf(tempstring, sizeof(tempstring), "%s/%s", dbip2_db_dir, libipv6calc_db_wrapper_DBIP2_db_file_desc[i].filename);
| ^~ ~~~~~~~~~~~~
In file included from /usr/include/stdio.h:906,
from libipv6calc_db_wrapper_DBIP2.c:11:
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_DBIP2_dbfilename’ at libipv6calc_db_wrapper_DBIP2.c:561:2:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 4097) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_database_info’:
libipv6calc_db_wrapper_DBIP2.c:770:53: warning: ‘, created: ’ directive output may be truncated writing 11 bytes into a region of size between 1 and 1024 [-Wformat-truncation=]
770 | snprintf(tempstring, sizeof(tempstring), "%s, created: %s", resultstring, datastring);
| ^~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_DBIP2_database_info’ at libipv6calc_db_wrapper_DBIP2.c:770:2:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 12 and 2058 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_DBIP2.c: In function ‘libipv6calc_db_wrapper_DBIP2_wrapper_db_info_used’:
libipv6calc_db_wrapper_DBIP2.c:523:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=]
523 | snprintf(tempstring, sizeof(tempstring), "%s / %s", dbip2_db_usage_string, info);
| ^~~
In function ‘snprintf’,
inlined from ‘libipv6calc_db_wrapper_DBIP2_wrapper_db_info_used’ at libipv6calc_db_wrapper_DBIP2.c:523:5:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 4 or more bytes (assuming 1027) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc_db_wrapper_BuiltIn.c
``` gcc -c libipv6calc_db_wrapper_BuiltIn.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I../../lib -I../.. libipv6calc_db_wrapper_BuiltIn.c: In function ‘libipv6calc_db_wrapper_BuiltIn_wrapper_db_info_used’: libipv6calc_db_wrapper_BuiltIn.c:299:77: warning: ‘ / ’ directive output may be truncated writing 3 bytes into a region of size between 1 and 1024 [-Wformat-truncation=] 299 | snprintf(tempstring, sizeof(tempstring), "%s / %s", builtin_db_usage_string, info); | ^~~ In file included from /usr/include/stdio.h:906, from libipv6calc_db_wrapper_BuiltIn.c:12: In function ‘snprintf’, inlined from ‘libipv6calc_db_wrapper_BuiltIn_wrapper_db_info_used’ at libipv6calc_db_wrapper_BuiltIn.c:299:5: /usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 4 and 2050 bytes into a destination of size 1024 54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 55 | __glibc_objsize (__s), __fmt, | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 56 | __va_arg_pack ()); | ~~~~~~~~~~~~~~~~~ ```libipv6calc.c
gcc -c libipv6calc.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -D__EXTENSIONS__ -fPIC -D__EXTENSIONS__ -fPIC -I. -I../ -I../databases/lib/ -I../md5
libipv6calc.c: In function ‘string_to_reverse_dotted’:
libipv6calc.c:147:62: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=]
147 | snprintf(tempstring, sizeof(tempstring), "%s.", resultstring);
| ^
In file included from /usr/include/stdio.h:906,
from libipv6calc.c:11:
In function ‘snprintf’,
inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:147:3:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 2 and 1025 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc.c: In function ‘string_to_reverse_dotted’:
libipv6calc.c:158:72: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=]
158 | snprintf(tempstring, sizeof(tempstring), "%s.%s", token, resultstring);
| ^
In function ‘snprintf’,
inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:158:4:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 1025) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
libipv6calc.c: In function ‘string_to_reverse_dotted’:
libipv6calc.c:166:62: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=]
166 | snprintf(tempstring, sizeof(tempstring), ".%s", resultstring);
| ^
In function ‘snprintf’,
inlined from ‘string_to_reverse_dotted’ at libipv6calc.c:166:3:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 2 and 1025 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
ipv6calc.c
gcc -c ipv6calc.c -Wdate-time -D_FORTIFY_SOURCE=2 -g -O2 -ffile-prefix-map=/root/2023-12-ipv6calc/ipv6calc=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -I../md5 -I../ -I../lib/ -I../databases/lib/
ipv6calc.c: In function ‘main’:
ipv6calc.c:1942:95: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=]
1942 | snprintf(resultstring, sizeof(resultstring), "%s %s", input1, resultstring3);
| ^~
In file included from /usr/include/stdio.h:906,
from ipv6calc.c:12:
In function ‘snprintf’,
inlined from ‘main’ at ipv6calc.c:1942:7:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 16385) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
ipv6calc.c: In function ‘main’:
ipv6calc.c:1940:95: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=]
1940 | snprintf(resultstring, sizeof(resultstring), "%s uncomparable", input1);
| ^~
In function ‘snprintf’,
inlined from ‘main’ at ipv6calc.c:1940:7:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 14 and 16397 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
ipv6calc.c: In function ‘main’:
ipv6calc.c:1935:87: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=]
1935 | snprintf(resultstring, sizeof(resultstring), "%s %s", linebuffer, resultstring3);
| ^~ ~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘main’ at ipv6calc.c:1935:6:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output 2 or more bytes (assuming 16385) into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
ipv6calc.c: In function ‘main’:
ipv6calc.c:1933:87: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=]
1933 | snprintf(resultstring, sizeof(resultstring), "%s uncomparable", linebuffer);
| ^~ ~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘main’ at ipv6calc.c:1933:6:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin___snprintf_chk’ output between 14 and 16397 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~
ipv6calc.c: In function ‘main’:
ipv6calc.c:1731:79: warning: ‘%s’ directive output may be truncated writing up to 16383 bytes into a region of size 1024 [-Wformat-truncation=]
1731 | snprintf(resultstring, sizeof(resultstring), "%s", linebuffer);
| ^~ ~~~~~~~~~~
In function ‘snprintf’,
inlined from ‘main’ at ipv6calc.c:1731:5:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:54:10: note: ‘__builtin_snprintf’ output between 1 and 16384 bytes into a destination of size 1024
54 | return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
55 | __glibc_objsize (__s), __fmt,
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
56 | __va_arg_pack ());
| ~~~~~~~~~~~~~~~~~