[Olsr-dev] hardening 1by1: -Wformat -Wformat-security -Werror=format-security

Henning Rogge (spam-protected)
Wed Oct 10 09:26:50 CEST 2012 

On 10/10/2012 09:14 AM, Ferry Huberts wrote:
>
>
> On 05-10-12 23:34, Hans-Christoph Steiner wrote:
>>
>> As part of the effort to get the hardening flags that are default in
>> Debian to be also default in olsrd, I'm submitting one email per concept
>> so we can discuss them each.
>>
>> The first is "-Wformat -Wformat-security -Werror=format-security".  This
>> adds strict checks to *printf() formats, which are a common source of
>> exploits.  olsrd currently passes all of these checks.

I just check the current settings myself (Kubuntu 64 bit, 3.2.0-31 
kernel, gcc 4.6.3), compiling with debug:

CFLAGS: -Wall -Wextra -Wold-style-definition 
-Wdeclaration-after-statement -Wmissing-prototypes -Wstrict-prototypes 
-Wmissing-declarations -Wsign-compare -Waggregate-return 
-Wmissing-noreturn -Wmissing-format-attribute -Wno-multichar 
-Wno-deprecated-declarations -Wendif-labels -Wwrite-strings 
-Wbad-function-cast -Wpointer-arith -Wcast-qual -Wshadow -Wformat 
-Wsequence-point -Wcast-align -Wformat-security -Wformat-y2k -Winit-self 
-Wswitch-default -Wsync-nand -Wundef -Wlogical-op -Wdouble-promotion 
-Wjump-misses-init -Wtrampolines -Wunused-parameter -Wnested-externs 
-Winline -Wdisabled-optimization -finline-functions-called-once 
-funit-at-a-time -fearly-inlining -finline-limit=350   -fPIC -ggdb

LDFLAGS: -Wl,-export-dynamic  -Wl,-rpath,/usr/local/lib 
-Wl,--warn-common -fPIC

Compiling without debug:

CFLAGS: -Wall -Wextra -Wold-style-definition 
-Wdeclaration-after-statement -Wmissing-prototypes -Wstrict-prototypes 
-Wmissing-declarations -Wsign-compare -Waggregate-return 
-Wmissing-noreturn -Wmissing-format-attribute -Wno-multichar 
-Wno-deprecated-declarations -Wendif-labels -Wwrite-strings 
-Wbad-function-cast -Wpointer-arith -Wcast-qual -Wshadow -Wformat 
-Wsequence-point -Wcast-align -Wformat-security -Wformat-y2k -Winit-self 
-Wswitch-default -Wsync-nand -Wundef -Wlogical-op -Wdouble-promotion 
-Wjump-misses-init -Wtrampolines -Wunused-parameter -Wnested-externs 
-Winline -Wdisabled-optimization -finline-functions-called-once 
-funit-at-a-time -fearly-inlining -fomit-frame-pointer 
-finline-limit=350   -fPIC
LDFLAGS: -Wl,-export-dynamic  -Wl,-rpath,/usr/local/lib 
-Wl,--warn-common -fPI

--------------
"-Wformat" and "-Wformat-security" are there, "-Werror=format-security" 
is not.

"-O2" is missing for the non-debug case, as is "-D_FORTIFY_SOURCE=2"

"-fPIE" and "-pie" are also missing.

So we have some of the suggested options, but not all of them.

Henning Rogge
-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Fraunhofer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:(spam-protected) http://www.fkie.fraunhofer.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6169 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.olsr.org/pipermail/olsr-dev/attachments/20121010/7d112b72/attachment.bin>

More information about the Olsr-dev mailing list