geode-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Blake Bender (Jira)" <j...@apache.org>
Subject [jira] [Resolved] (GEODE-6007) Fix LGTM complaints in NC code base
Date Thu, 12 Sep 2019 19:29:01 GMT

     [ https://issues.apache.org/jira/browse/GEODE-6007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Blake Bender resolved GEODE-6007.
---------------------------------
    Resolution: Fixed

> Fix LGTM complaints in NC code base
> -----------------------------------
>
>                 Key: GEODE-6007
>                 URL: https://issues.apache.org/jira/browse/GEODE-6007
>             Project: Geode
>          Issue Type: Improvement
>          Components: native client
>            Reporter: Blake Bender
>            Priority: Major
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> This is showing stuff that is bad practice in general, and may open us up to maliciousness. 
There are two main situations in which we find lots of usage of snprintf with raw char buffers,
which are:
>  * formatting messages for exceptions
>  * formatting messages for logging
> For the exception messages, we should switch to something known to be safe - a vsxprintf
implementation, boost::format, std::stringstream, whatever.  As long as we stop declaring
raw char buffers on the stack, it's all good
>  
> For logging, the situation is even dumber.  The various LOG* macros in the code _already_
take a format string and varargs, so as far as I know we essentially need to move the printf-style
arguments into the logging macro and get rid of the other nonsense.  We may even buy a tiny
performance improvement due to the fact that that logging macros can be compiled out of the
code.
>  
> UPDATE:  Report from running LGTM on our code may be found at [https://lgtm.com/projects/g/apache/geode-native/alerts/?mode=list.] 
This report has issues with tons of printf-style format specifiers, so it catches most of
the snprintf stuff pointed out above.  MANY OF THESE ARE BUFFER OVERFLOW ISSUES, and must
be addressed in the name of security.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message