From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id EB9B43858411; Sat, 9 Oct 2021 17:55:28 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org EB9B43858411 From: "msebor at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug build/28439] New: -Wformat-overflow in resolv/res_query.c Date: Sat, 09 Oct 2021 17:55:28 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: build X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Oct 2021 17:55:29 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28439 Bug ID: 28439 Summary: -Wformat-overflow in resolv/res_query.c Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: build Assignee: unassigned at sourceware dot org Reporter: msebor at gmail dot com CC: carlos at redhat dot com Target Milestone: --- A GCC 12 enhancement (still under review) to the optimizer has improved GCC= 's ability to extract and propagate range information from strlen() expression= s.=20 The improvement lets GCC infer constraints on strlen() results from subsequ= ent expressions involving lengths of different strings, like in the following c= ode in resolv/res_query.c: n =3D strlen(name); d =3D strlen(domain); if (n + d + 1 >=3D MAXDNAME) { RES_SET_H_ERRNO(statp, NO_RECOVERY); return (-1); } sprintf (nbuf, "%s.%s",name, domain); Here, GCC determines from the if condition that n and d are each constraine= d to less than MAXDNAME, but because it can't express their relationship in the inequality, the constraint isn't tight enough to rule out that their sum mi= ght exceed MAXDNAME. This in turns triggers the warning below: res_query.c: In function =E2=80=98__res_context_querydomain=E2=80=99: res_query.c:613:35: warning: =E2=80=98%s=E2=80=99 directive writing up to 1= 023 bytes into a region of size between 1 and 1024 [-Wformat-overflow=3D] 613 | sprintf(nbuf, "%s.%s", name, domain); | ^~ res_query.c:613:17: note: =E2=80=98sprintf=E2=80=99 output between 2 and 20= 48 bytes into a destination of size 1025 613 | sprintf(nbuf, "%s.%s", name, domain); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This code triggered a similar false positive in the past. It was reported = in GCC bug 91567 and quickly fixed there. In this case, however, a fix in GCC isn't feasible. Everything is working as designed, but the better range information exposed by the enhancement isn't sufficient to avoid the warnin= g.=20 The warning can be easily avoided in Glibc either by #pragma GCC diagnostic= or by changing the code to avoid sprintf as shown below: index 75b0e5f2f7..31ab1db60b 100644 --- a/resolv/res_query.c +++ b/resolv/res_query.c @@ -610,7 +610,9 @@ __res_context_querydomain (struct resolv_context *ctx, RES_SET_H_ERRNO(statp, NO_RECOVERY); return (-1); } - sprintf(nbuf, "%s.%s", name, domain); + strcpy (nbuf, name); + nbuf[n] =3D '.'; + strcpy (nbuf + n + 1, domain); } return __res_context_query (ctx, longname, class, type, answer, anslen, answerp, answerp2, nanswerp2, --=20 You are receiving this mail because: You are on the CC list for the bug.=