Fix invocations of LOG missing format string argument

First argument of LOG* macros is passed to sd_journal_print() as format string.
In some places these macros were used with no format string at all, simply
passing e.what() from an exception. This could lead to a format string
vulnerability in the code, potentially allowing arbitrary code execution.
This error also caused build break:

In file included from /data/src/tizen/cynara/src/client/api/client-api.cpp:27:0:
/data/src/tizen/cynara/src/common/exceptions/TryCatch.h: In function
    ‘int Cynara::tryCatch(const std::function<int()>&)’:
    /data/src/tizen/cynara/src/common/exceptions/TryCatch.h:41:178: error:
    format not a string literal and no format arguments [-Werror=format-security]
         LOGE(e.what());
(... and more ...)

Change-Id: I1259283cf1bd2fa0fb2d271e38a7b416e17939f7
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>

diff --git a/src/admin/api/admin-api.cpp b/src/admin/api/admin-api.cpp
index e444b7a..1e73ff7 100644 (file)
--- a/src/admin/api/admin-api.cpp
+++ b/src/admin/api/admin-api.cpp
@@ -197,7 +197,7 @@ int cynara_admin_check(struct cynara_admin *p_cynara_admin,
             userStr = user;
             privilegeStr = privilege;
         } catch (const std::length_error &e) {
-            LOGE(e.what());
+            LOGE("%s", e.what());
             return CYNARA_API_INVALID_PARAM;
         }
 

diff --git a/src/client-async/api/client-async-api.cpp b/src/client-async/api/client-async-api.cpp
index d350e10..1e3479e 100644 (file)
--- a/src/client-async/api/client-async-api.cpp
+++ b/src/client-async/api/client-async-api.cpp
@@ -84,7 +84,7 @@ int cynara_async_check_cache(cynara_async *p_cynara, const char *client, const c
             userStr = user;
             privilegeStr = privilege;
         } catch (const std::length_error &e) {
-            LOGE(e.what());
+            LOGE("%s", e.what());
             return CYNARA_API_INVALID_PARAM;
         }
         return p_cynara->impl->checkCache(clientStr, clientSessionStr, userStr, privilegeStr);
@@ -113,7 +113,7 @@ int cynara_async_create_request(cynara_async *p_cynara, const char *client,
             userStr = user;
             privilegeStr = privilege;
         } catch (const std::length_error &e) {
-            LOGE(e.what());
+            LOGE("%s", e.what());
             return CYNARA_API_INVALID_PARAM;
         }
         cynara_check_id checkId;

diff --git a/src/client/api/client-api.cpp b/src/client/api/client-api.cpp
index 4eb4625..935c6cd 100644 (file)
--- a/src/client/api/client-api.cpp
+++ b/src/client/api/client-api.cpp
@@ -88,7 +88,7 @@ int cynara_check(cynara *p_cynara, const char *client, const char *client_sessio
             userStr = user;
             privilegeStr = privilege;
         } catch (const std::length_error &e) {
-            LOGE(e.what());
+            LOGE("%s", e.what());
             return CYNARA_API_INVALID_PARAM;
         }
         return p_cynara->impl->check(clientStr, clientSessionStr, userStr, privilegeStr);

diff --git a/src/common/exceptions/TryCatch.h b/src/common/exceptions/TryCatch.h
index b1ef172..3964c01 100644 (file)
--- a/src/common/exceptions/TryCatch.h
+++ b/src/common/exceptions/TryCatch.h
@@ -38,13 +38,13 @@ int tryCatch(const std::function<int(void)> &func) {
     try {
         return func();
     } catch (const std::bad_alloc &e) {
-        LOGE(e.what());
+        LOGE("%s", e.what());
         return CYNARA_API_OUT_OF_MEMORY;
     } catch (const NoMemoryException &e) {
-        LOGE(e.what());
+        LOGE("%s", e.what());
         return CYNARA_API_OUT_OF_MEMORY;
     } catch (const std::exception &e) {
-        LOGE(e.what());
+        LOGE("%s", e.what());
         return CYNARA_API_UNKNOWN_ERROR;
     } catch (...) {
         LOGE("Unexpected exception");