firewall3: Fix some format string problems

This adds annotations for the format strings to the print functions and
fixes the newly found problems. One of them is a format security
problem.

Coverity: #1412532
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

diff --git a/defaults.c b/defaults.c
index 91bd61712f6276cca6721a780247a6551becfa13..f03765c6be17e058eea110b312b3e66930d75024 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -393,7 +393,7 @@ set_default(const char *name, int set)
 
        snprintf(path, sizeof(path), "/proc/sys/net/ipv4/tcp_%s", name);
 
-       info(" * Set tcp_%s to %s", name, set ? "on" : "off", name);
+       info(" * Set tcp_%s to %s", name, set ? "on" : "off");
 
        if (!(f = fopen(path, "w")))
        {

diff --git a/includes.c b/includes.c
index 86392109cae6c70c767c63e40a543bf7507ac3e0..23b224436f616e469213e2d1573def730350cabf 100644 (file)
--- a/includes.c
+++ b/includes.c
@@ -140,7 +140,7 @@ print_include(struct fw3_include *include)
        }
 
        while (fgets(line, sizeof(line), f))
-               fw3_pr(line);
+               fw3_pr("%s", line);
 
        fclose(f);
 }

diff --git a/redirects.c b/redirects.c
index 97529ee9876a71ec36b1068ba0634ab25310434a..d3765557fc3f694fcac1143700f49527c30f0de1 100644 (file)
--- a/redirects.c
+++ b/redirects.c
@@ -254,14 +254,13 @@ check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_e
        }
        else if (redir->ipset.set && state->disable_ipsets)
        {
-               warn_section("redirect", redir, e, "skipped due to disabled ipset support",
-                               redir->name);
+               warn_section("redirect", redir, e, "skipped due to disabled ipset support");
                return false;
        }
        else if (redir->ipset.set &&
                        !(redir->ipset.ptr = fw3_lookup_ipset(state, redir->ipset.name)))
        {
-               warn_section("redirect", redir, e, "refers to unknown ipset '%s'", redir->name,
+               warn_section("redirect", redir, e, "refers to unknown ipset '%s'",
                                redir->ipset.name);
                return false;
        }

diff --git a/utils.h b/utils.h
index 2388072b68b9e975ae5394cf08c56679f928e33d..c8cf69ac442e92c13e5ad05d9ed2ffe58ad7a4b3 100644 (file)
--- a/utils.h
+++ b/utils.h
@@ -46,10 +46,14 @@ extern bool fw3_pr_debug;
 
 struct fw3_address;
 
-void warn_elem(struct uci_element *e, const char *format, ...);
-void warn(const char *format, ...);
-void error(const char *format, ...);
-void info(const char *format, ...);
+void warn_elem(struct uci_element *e, const char *format, ...)
+       __attribute__ ((format (printf, 2, 3)));
+void warn(const char *format, ...)
+       __attribute__ ((format (printf, 1, 2)));
+void error(const char *format, ...)
+       __attribute__ ((format (printf, 1, 2)));
+void info(const char *format, ...)
+       __attribute__ ((format (printf, 1, 2)));
 
 
 #define warn_section(t, r, e, fmt, ...)                                        \
@@ -96,7 +100,8 @@ bool __fw3_command_pipe(bool silent, const char *command, ...);
 #define fw3_command_pipe(...) __fw3_command_pipe(__VA_ARGS__, NULL)
 
 void fw3_command_close(void);
-void fw3_pr(const char *fmt, ...);
+void fw3_pr(const char *fmt, ...)
+       __attribute__ ((format (printf, 1, 2)));
 
 bool fw3_has_table(bool ipv6, const char *table);