From 1331cd7aae892fedec8abbebef431e688648346e Mon Sep 17 00:00:00 2001 From: dwheeler Date: Tue, 16 Jan 2007 23:20:49 +0000 Subject: [PATCH] Add atoi() and atol(). It's a little lame, but at least it's there. git-svn-id: svn+ssh://svn.code.sf.net/p/flawfinder/code/trunk@14 5c01084b-1f27-0410-9f85-80411afe95dc --- correct-results.html | 2 +- correct-results.txt | 2 +- flawfinder | 8 ++++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/correct-results.html b/correct-results.html index 3a29193..d29886c 100644 --- a/correct-results.html +++ b/correct-results.html @@ -11,7 +11,7 @@ Here are the security scan results from Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler. -Number of dangerous functions in C/C++ ruleset: 158 +Number of dangerous functions in C/C++ ruleset: 160

Examining test.c
Examining test2.c
diff --git a/correct-results.txt b/correct-results.txt index da348ee..a596e28 100644 --- a/correct-results.txt +++ b/correct-results.txt @@ -1,5 +1,5 @@ Flawfinder version 1.27, (C) 2001-2004 David A. Wheeler. -Number of dangerous functions in C/C++ ruleset: 158 +Number of dangerous functions in C/C++ ruleset: 160 Examining test.c Examining test2.c test.c:32: [5] (buffer) gets: diff --git a/flawfinder b/flawfinder index 75a9c38..f0ba461 100755 --- a/flawfinder +++ b/flawfinder @@ -971,6 +971,14 @@ c_ruleset = { "or embedded spaces could allow an attacker to force a different program to run", "shell", "", {'check_for_null' : 1}), + "atoi|atol": + (normal, 2, + "Unless checked, the resulting number can exceed the expected range", + " If source untrusted, check both minimum and maximum, even if the" + + " input had no minus sign (large numbers can roll over into negative" + + " number; consider saving to an unsigned value if that is intended)", + "integer", "dangers-c", {}), + # Random values. Don't trigger on "initstate", it's too common a term. "drand48|erand48|jrand48|lcong48|lrand48|mrand48|nrand48|random|seed48|setstate|srand|strfry|srandom": (normal, 3,