gluster-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gluster-devel] glusterfs-3.3.0qa34 released


From: Patrick Matthäi
Subject: Re: [Gluster-devel] glusterfs-3.3.0qa34 released
Date: Tue, 10 Apr 2012 22:15:13 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.3) Gecko/20120329 Icedove/10.0.3

Am 10.04.2012 22:10, schrieb Jeff Darcy:
> On 04/10/2012 03:59 PM, Patrick Matthäi wrote:
>> The "problem" is, that the % substitution is missing, so:
>>
>> gf_log (this->name, GF_LOG_ERROR, msg);
>> should become:
>> gf_log (this->name, GF_LOG_ERROR, "%s", msg);
>>
>> I didn't checked if this was introduced in other places, too.
>>
>> In 3.2.5 there was a simmilar fault, which my co-maintainer of the
>> glusterfs packaging has been fixed:
>> http://review.gluster.com/#change,2598
> 
> Yes, it's easy to work around, and patches to do just that would be welcome.
> I'll be the first to approve them.  OTOH, false positives are the bane of any
> effort to improve software quality via static analysis.  The fact that gcc has
> now generated two false positives for the same non-problem suggests that its
> format-security diagnostics are not the right basis for such an effort.

I am currently on patching, since I have got two patches now and I am on
my third buildd run (just building on my cow-power-notebook atm) I may
need some minutes ;)

IMHO at the above code it is a false-positive, but in general the
warning/fatal is right, so that programmers use such functions in an
secure manner from the beginning, like using prepared SQL statements
also if there query is static..
But this is too much for this thread ;-)


-- 
/*
Mit freundlichem Gruß / With kind regards,
 Patrick Matthäi
 GNU/Linux Debian Developer

E-Mail: address@hidden
        address@hidden
*/

Attachment: signature.asc
Description: OpenPGP digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]