Bug#1107437: marked as done (git - passes wrong types to curl_easy_setopt)

Tue, 17 Jun 2025 12:51:22 -0700 

Your message dated Tue, 17 Jun 2025 20:47:59 +0100
with message-id <[email protected]>
and subject line re: git - passes wrong types to curl_easy_setopt
has caused the Debian Bug report #1107437,
regarding git - passes wrong types to curl_easy_setopt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1107437: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107437
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: git
Severity: important
X-Debbugs-CC: [email protected], [email protected], [email protected], 
[email protected]

When building against curl 8.14 git creates a whole bunch of compiler
warnings. We originally discovered this because of a package in Debian
that was using an embedded code copy of git and building it with
-Werror (see debian bug 1107412) but the issue is clearly visible
when rebuilding the git package in current sid.


imap-send.c:1421:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1421 |         curl_easy_setopt(curl, CURLOPT_PORT, srvc->port);
imap-send.c:1434:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1434 |         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 
srvc->ssl_verify);
imap-send.c:1435:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1435 |         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 
srvc->ssl_verify);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
http-push.c:197:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  197 |         curl_easy_setopt(curl, CURLOPT_HTTPGET, 1);
remote-curl.c:880:9: warning: call to ‘_curl_easy_setopt_err_long’ declared 
with attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  880 |         curl_easy_setopt(slot->curl, CURLOPT_NOBODY, 0);
remote-curl.c:881:9: warning: call to ‘_curl_easy_setopt_err_long’ declared 
with attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  881 |         curl_easy_setopt(slot->curl, CURLOPT_POST, 1);
remote-curl.c:885:9: warning: call to ‘_curl_easy_setopt_err_long’ declared 
with attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  885 |         curl_easy_setopt(slot->curl, CURLOPT_POSTFIELDSIZE, 4);
http.c:1010:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1010 |                 curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 0);
http.c:1011:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1011 |                 curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 0);
http.c:1014:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1014 |                 curl_easy_setopt(result, CURLOPT_SSL_VERIFYPEER, 1);
http.c:1016:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1016 |                 curl_easy_setopt(result, CURLOPT_SSL_VERIFYHOST, 2);
http.c:1048:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1048 |                 curl_easy_setopt(result, CURLOPT_SSL_OPTIONS, 
CURLSSLOPT_NO_REVOKE);
http.c:1108:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1108 |         curl_easy_setopt(result, CURLOPT_MAXREDIRS, 20);
http.c:1109:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1109 |         curl_easy_setopt(result, CURLOPT_POSTREDIR, 
CURL_REDIR_POST_ALL);
http.c:1142:17: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1142 |                 curl_easy_setopt(result, CURLOPT_FTP_USE_EPSV, 0);
http.c:1183:25: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1183 |                         curl_easy_setopt(result,
http.c:1186:25: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1186 |                         curl_easy_setopt(result,
http.c:1189:25: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1189 |                         curl_easy_setopt(result,
http.c:1192:25: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1192 |                         curl_easy_setopt(result,
http.c:1195:25: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
 1195 |                         curl_easy_setopt(result, CURLOPT_PROXYTYPE, 
CURLPROXY_HTTPS);
http.c:709:9: warning: call to ‘_curl_easy_setopt_err_long’ declared with 
attribute warning: curl_easy_setopt expects a long argument 
[-Wattribute-warning]
  709 |         curl_easy_setopt(c, CURLOPT_TCP_KEEPALIVE, 1);


While the compiler warnings appear to be new with curl 8.14
the underlying issue does not. curl_easy_setopt is a variadic
function whose parameter types depend on the option selected.

Passing a parameter of the wrong type to a variadic function
can have consequences that vary by architecture and the types
of the preceding parameters. It's possible that the right
thing will happen by "accident", either because the types
are in-fact the same size, or for example a 32-bit value
may be converted to a 64-bit value where the top bits are
garbage and the bottom bits are correct this may then be
converted back to a 32-bit value throwing away the garbage.

But it's equally possible the right thing will not happen,
that the variadic function will end up dealing with garabage
and will misbehave or crash

I think the fix here is just to add casts and literal suffixes
so the argument is passed as the correct type, but I'd
appreciate feedback from people more familiar with the codebase

--- End Message ---
--- Begin Message --- 
Version: 2.50.0-1


It's on the master branch, so it should be included in
v2.50.0-rc2, scheduled for Monday.


2.50.0 has now been uploaded to Debian and looking at the build
log the curl related warnings are indeed gone.

--- End Message ---

Reply via email to