Remove InitialCriticalSection

This is no longer a vulnerability on widely-used Windows versions. See: https://github.com/david-a-wheeler/flawfinder/issues/19 Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>
2021-01-09 13:04:56 -05:00 · 2021-01-09 13:04:56 -05:00 · 7321f9f19c
parent 41857c6364
commit 7321f9f19c
4 changed files with 15 additions and 7 deletions
--- a/16
+++ b/16
@ -1277,10 +1277,18 @@ c_ruleset = {
     "Use InitializeCriticalSectionAndSpinCount instead",
     "misc", "", {}),

-    "EnterCriticalSection":
-    (normal, 3, "On some versions of Windows, exceptions can be thrown in low-memory situations",
-     "Use InitializeCriticalSectionAndSpinCount instead",
-     "misc", "", {}),
+    # We have *removed* the check for EnterCriticalSection.
+    # The page from the "book Writing Secure Code" describes
+    # EnterCriticalSection as something that will not throw errors on XP,
+    # .NET Server, and later. Windows XP EOL in April 8, 2014,
+    # .Net Server EOL 14 July 2015, so users of those systems will have
+    # larger security issues anyway.
+    # My thanks to rgetz for reporting this. For details, see:
+    # https://github.com/david-a-wheeler/flawfinder/issues/19
+    # "EnterCriticalSection":
+    # (normal, 3, "On some versions of Windows, exceptions can be thrown in low-memory situations",
+    #  "Use InitializeCriticalSectionAndSpinCount instead",
+    #  "misc", "", {}),

    "LoadLibrary|LoadLibraryEx":
    (normal, 3, "Ensure that the full path to the library is specified, or current directory may be used (CWE-829, CWE-20)",
--- a/test/correct-results-008.txt
+++ b/test/correct-results-008.txt
@ -1,6 +1,6 @@
 Flawfinder version 2.0.11, (C) 2001-2019 David A. Wheeler.
 Showing hits not in test-saved-hitlist-008.txt
-Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
+Number of rules (primarily dangerous function names) in C/C++ ruleset: 222

 ANALYSIS SUMMARY:

--- a/test/correct-results.html
+++ b/test/correct-results.html
@ -11,7 +11,7 @@
 Here are the security scan results from
 <a href="https://dwheeler.com/flawfinder">Flawfinder version 2.0.11</a>,
 (C) 2001-2019 <a href="https://dwheeler.com">David A. Wheeler</a>.
-Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
+Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 <p>
 Examining test.c <br>
 Examining test2.c <br>
--- a/test/correct-results.txt
+++ b/test/correct-results.txt
@ -1,5 +1,5 @@
 Flawfinder version 2.0.11, (C) 2001-2019 David A. Wheeler.
-Number of rules (primarily dangerous function names) in C/C++ ruleset: 223
+Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
 Examining test.c
 Examining test2.c