openssh bugs - Apr 2025 - [Bug 3809] New: snprintf const char *fmt detection false negatives with Clang and _FORTIFY_SOURCE=2

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

            Bug ID: 3809
           Summary: snprintf const char *fmt detection false negatives
                    with Clang and _FORTIFY_SOURCE=2
           Product: Portable OpenSSH
           Version: -current
          Hardware: amd64
                OS: FreeBSD
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Build system
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jlduran at gmail.com

Created attachment 3869
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3869&action=edit
const/no const detection program

The snippet (attached conftest.c) used to detect whether a system can
declare [v]snprintf() const char *fmt incorrectly fails to detect it on
FreeBSD if compiled with Clang and with _FORTIFY_SOURCE=2 (NetBSD and
macOS might fail as well, but are probably using gcc) :

$ cc -D_FORTIFY_SOURCE=2 conftest.c
conftest.c:2:5: error: expected identifier or '('
    2 | int snprintf(char *a, size_t b, const char *c, ...) { return 0;
}
      |     ^
/usr/include/ssp/stdio.h:88:33: note: expanded from macro 'snprintf'
   88 | #define snprintf(str, len, ...) __extension__ ({        \
      |                                 ^
1 error generated.

A workaround is attached that un-defines source fortifications for the
detection script (unsure if this is the best approach).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

--- Comment #1 from Jose Luis Duran <jlduran at gmail.com> ---
Created attachment 3870
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3870&action=edit
Workaround

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

--- Comment #2 from Jose Luis Duran <jlduran at gmail.com> ---
Sorry, I managed to make this PR private. It was unintentional.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
             Blocks|                            |3808


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3808
[Bug 3808] Tracking bug for OpenSSH 10.1
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3869|application/octet-stream    |text/plain
          mime type|                            |
   Attachment #3869|0                           |1
           is patch|                            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Which version of FreeBSD are you seeing this on?  I can't reproduce the
problem on 14.2, either with the standalone test or configure:

$ uname -a
FreeBSD fbsd14 14.2-RELEASE-p1 FreeBSD 14.2-RELEASE-p1 GENERIC amd64

$ clang -D_FORTIFY_SOURCE=2 conftest.c

$ ./configure --with-cflags=-D_FORTIFY_SOURCE=2 2>&1 | grep snprintf
checking for snprintf... yes
checking for vsnprintf... yes
checking whether snprintf correctly terminates long strings... yes
checking whether snprintf understands %zu... yes
checking whether vsnprintf returns correct values on overflow... yes
checking whether snprintf can declare const char *fmt... yes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

--- Comment #4 from Jose Luis Duran <jlduran at gmail.com> ---
(In reply to Darren Tucker from comment #3)
> Which version of FreeBSD are you seeing this on?  I can't reproduce
> the problem on 14.2, either with the standalone test or configure:
> 
> $ uname -a
> FreeBSD fbsd14 14.2-RELEASE-p1 FreeBSD 14.2-RELEASE-p1 GENERIC amd64
Sorry, yes, source fortification is only available on FreeBSD 15.0
(-CURRENT).
> $ clang -D_FORTIFY_SOURCE=2 conftest.c
$ cc -v
FreeBSD clang version 19.1.7 (https://github.com/llvm/llvm-project.git
llvmorg-19.1.7-0-gcd708029e0b2)
Target: x86_64-unknown-freebsd15.0
Thread model: posix
InstalledDir: /usr/bin
Build config: +assertions
> $ ./configure --with-cflags=-D_FORTIFY_SOURCE=2 2>&1 | grep snprintf
> checking for snprintf... yes
> checking for vsnprintf... yes
> checking whether snprintf correctly terminates long strings... yes
> checking whether snprintf understands %zu... yes
> checking whether vsnprintf returns correct values on overflow... yes
> checking whether snprintf can declare const char *fmt... yes
$ ./configure --with-cflags=-D_FORTIFY_SOURCE=2 2>&1 | grep snprintf
checking for snprintf... yes
checking for vsnprintf... yes
checking whether snprintf correctly terminates long strings... no
configure: WARNING: ****** Your snprintf() function is broken, complain
to your vendor
checking whether snprintf understands %zu... no
checking whether vsnprintf returns correct values on overflow... yes
checking whether snprintf can declare const char *fmt... no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

--- Comment #5 from Jose Luis Duran <jlduran at gmail.com> ---
(In reply to Jose Luis Duran from comment #4)
> $ ./configure --with-cflags=-D_FORTIFY_SOURCE=2 2>&1 | grep snprintf
> checking for snprintf... yes
> checking for vsnprintf... yes
> checking whether snprintf correctly terminates long strings... no
> configure: WARNING: ****** Your snprintf() function is broken,
> complain to your vendor
> checking whether snprintf understands %zu... no
> checking whether vsnprintf returns correct values on overflow... yes
> checking whether snprintf can declare const char *fmt... no
That last check should have been:

$ ./configure --with-cflags=-D_FORTIFY_SOURCE=2 2>&1 | grep snprintf
checking for snprintf... yes
checking for vsnprintf... yes
checking whether snprintf correctly terminates long strings... yes
checking whether snprintf understands %zu... yes
checking whether vsnprintf returns correct values on overflow... yes
checking whether snprintf can declare const char *fmt... no

Same for NetBSD (FreeBSD's upstream for source fortification), using
CC=clang.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3809

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #6 from Darren Tucker <dtucker at dtucker.net> ---
The patch has been applied and will be in the 10.1p1 release.  Thanks
for the report.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.