Elise, void foo(const char * format, int value) { /* Format string not known at compile time. */ printf(format, value); }
=Austin --- Elise Berger <[EMAIL PROTECTED]> wrote: > I am trying to understand what exactly the formatconst flag does. The > splint > manual has the following text: > > A simpler way to detect format vulnerabilities is to warn for any > format > string that > is unknown at compile time. Splint provides this checking, issuing a > warning > if the +formatconst > flag is set and finds any unknown format strings at compile time. > This can > produce spurious > messages, however, because there might be unknown format strings that > are > not vulnerable to > hostile input. > > What is meant by "a format string unknown at compile time?" Does this > refer > to a format specifier? Can anyone provide an example? > Any information on the above would be much appreciated. > thanks. > > > Elise T. Berger > Senior Security Engineer > CygnaCom Solutions, Inc. > an Entrust company > Phone: 703-270-3511 Fax: 703-848-0960 > http://www.cygnacom.com > [EMAIL PROTECTED] > > > > _______________________________________________ splint-discuss mailing list [EMAIL PROTECTED] http://www.splint.org/mailman/listinfo/splint-discuss