Add Common Weakness Enumeration (CWE) references
This commit is contained in:
David A. Wheeler
parent
62af9ec2d5
commit
9de8db2e74
|
|
@ -17,170 +17,176 @@ Examining test.c <br>
|
|||
Examining test2.c <br>
|
||||
<ul>
|
||||
<li>test.c:32: <b> [5] </b> (buffer) <i> gets:
|
||||
Does not check for buffer overflows. Use fgets() instead. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use fgets() instead. </i>
|
||||
<pre>
|
||||
gets(f);
|
||||
</pre>
|
||||
<li>test.c:56: <b> [5] </b> (buffer) <i> strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left. </i>
|
||||
<pre>
|
||||
strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
|
||||
</pre>
|
||||
<li>test.c:57: <b> [5] </b> (buffer) <i> _tcsncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left. </i>
|
||||
<pre>
|
||||
_tcsncat(d,s,sizeof(d)); /* Misuse - flag as riskier */
|
||||
</pre>
|
||||
<li>test.c:60: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));
|
||||
</pre>
|
||||
<li>test.c:62: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName);
|
||||
</pre>
|
||||
<li>test.c:73: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access. </i>
|
||||
Access), which would even forbid administrator access (CWE-732). </i>
|
||||
<pre>
|
||||
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
||||
</pre>
|
||||
<li>test.c:73: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access. </i>
|
||||
Access), which would even forbid administrator access (CWE-732). </i>
|
||||
<pre>
|
||||
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
||||
</pre>
|
||||
<li>test.c:17: <b> [4] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). </i>
|
||||
<pre>
|
||||
strcpy(b, a);
|
||||
</pre>
|
||||
<li>test.c:20: <b> [4] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. </i>
|
||||
<pre>
|
||||
sprintf(s, "hello %s", bug);
|
||||
</pre>
|
||||
<li>test.c:21: <b> [4] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. </i>
|
||||
<pre>
|
||||
sprintf(s, gettext("hello %s"), bug);
|
||||
</pre>
|
||||
<li>test.c:22: <b> [4] </b> (format) <i> sprintf:
|
||||
Potential format string problem. Make format string constant. </i>
|
||||
Potential format string problem (CWE-134). Make format string
|
||||
constant. </i>
|
||||
<pre>
|
||||
sprintf(s, unknown, bug);
|
||||
</pre>
|
||||
<li>test.c:23: <b> [4] </b> (format) <i> printf:
|
||||
If format strings can be influenced by an attacker, they can be
|
||||
exploited. Use a constant for the format specification. </i>
|
||||
exploited (CWE-134). Use a constant for the format specification. </i>
|
||||
<pre>
|
||||
printf(bf, x);
|
||||
</pre>
|
||||
<li>test.c:25: <b> [4] </b> (buffer) <i> scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function. </i>
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function. </i>
|
||||
<pre>
|
||||
scanf("%s", s);
|
||||
</pre>
|
||||
<li>test.c:27: <b> [4] </b> (buffer) <i> scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function. </i>
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function. </i>
|
||||
<pre>
|
||||
scanf("%s", s);
|
||||
</pre>
|
||||
<li>test.c:38: <b> [4] </b> (format) <i> syslog:
|
||||
If syslog's format strings can be influenced by an attacker, they can
|
||||
be exploited. Use a constant format string for syslog. </i>
|
||||
be exploited (CWE-134). Use a constant format string for syslog. </i>
|
||||
<pre>
|
||||
syslog(LOG_ERR, attacker_string);
|
||||
</pre>
|
||||
<li>test.c:49: <b> [4] </b> (buffer) <i> _mbscpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using a function version that stops copying at the end of the
|
||||
buffer. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using a function version that stops copying at the end of
|
||||
the buffer. </i>
|
||||
<pre>
|
||||
_mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
|
||||
</pre>
|
||||
<li>test.c:52: <b> [4] </b> (buffer) <i> lstrcat:
|
||||
Does not check for buffer overflows when concatenating to destination. </i>
|
||||
Does not check for buffer overflows when concatenating to destination
|
||||
(CWE-120). </i>
|
||||
<pre>
|
||||
lstrcat(d,s);
|
||||
</pre>
|
||||
<li>test.c:75: <b> [3] </b> (shell) <i> CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run. </i>
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run. </i>
|
||||
<pre>
|
||||
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
||||
</pre>
|
||||
<li>test.c:75: <b> [3] </b> (shell) <i> CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run. </i>
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run. </i>
|
||||
<pre>
|
||||
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
||||
</pre>
|
||||
<li>test.c:91: <b> [3] </b> (buffer) <i> getopt_long:
|
||||
Some older implementations do not protect against internal buffer
|
||||
overflows . Check implementation on installation, or limit the size of all
|
||||
string inputs. </i>
|
||||
overflows (CWE-120). Check implementation on installation, or limit the
|
||||
size of all string inputs. </i>
|
||||
<pre>
|
||||
while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
|
||||
</pre>
|
||||
<li>test.c:16: <b> [2] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant string. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant string. </i>
|
||||
<pre>
|
||||
strcpy(a, gettext("Hello there")); // Did this work?
|
||||
</pre>
|
||||
<li>test.c:19: <b> [2] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source has a constant maximum length. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source has a constant maximum
|
||||
length. </i>
|
||||
<pre>
|
||||
sprintf(s, "hello");
|
||||
</pre>
|
||||
<li>test.c:45: <b> [2] </b> (buffer) <i> char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length. </i>
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119). </i>
|
||||
<pre>
|
||||
char d[20];
|
||||
</pre>
|
||||
<li>test.c:46: <b> [2] </b> (buffer) <i> char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length. </i>
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119). </i>
|
||||
<pre>
|
||||
char s[20];
|
||||
</pre>
|
||||
<li>test.c:50: <b> [2] </b> (buffer) <i> memcpy:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data. </i>
|
||||
<pre>
|
||||
memcpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:51: <b> [2] </b> (buffer) <i> CopyMemory:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data. </i>
|
||||
<pre>
|
||||
CopyMemory(d,s);
|
||||
</pre>
|
||||
|
|
@ -188,63 +194,65 @@ Examining test2.c <br>
|
|||
Check when opening files - can an attacker redirect it (via symlinks),
|
||||
force the opening of special file type (e.g., device files), move
|
||||
things around to create a race condition, control its ancestors, or change
|
||||
its contents?. </i>
|
||||
its contents? (CWE-362). </i>
|
||||
<pre>
|
||||
f = fopen("/etc/passwd", "r");
|
||||
</pre>
|
||||
<li>test.c:15: <b> [1] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant character. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant
|
||||
character. </i>
|
||||
<pre>
|
||||
strcpy(a, "\n"); // Did this work?
|
||||
</pre>
|
||||
<li>test.c:18: <b> [1] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source is a constant character. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source is a constant character. </i>
|
||||
<pre>
|
||||
sprintf(s, "\n");
|
||||
</pre>
|
||||
<li>test.c:26: <b> [1] </b> (buffer) <i> scanf:
|
||||
it's unclear if the %s limit in the format string is small enough.
|
||||
Check that the limit is sufficiently small, or use a different input
|
||||
function. </i>
|
||||
it's unclear if the %s limit in the format string is small enough
|
||||
(CWE-120). Check that the limit is sufficiently small, or use a different
|
||||
input function. </i>
|
||||
<pre>
|
||||
scanf("%10s", s);
|
||||
</pre>
|
||||
<li>test.c:53: <b> [1] </b> (buffer) <i> strncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers. </i>
|
||||
invalid pointers (CWE-120). </i>
|
||||
<pre>
|
||||
strncpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:54: <b> [1] </b> (buffer) <i> _tcsncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers. </i>
|
||||
invalid pointers (CWE-120). </i>
|
||||
<pre>
|
||||
_tcsncpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:55: <b> [1] </b> (buffer) <i> strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. </i>
|
||||
<pre>
|
||||
strncat(d,s,10);
|
||||
</pre>
|
||||
<li>test.c:58: <b> [1] </b> (buffer) <i> strlen:
|
||||
Does not handle strings that are not \0-terminated (it could cause a
|
||||
crash if unprotected). </i>
|
||||
crash if unprotected) (CWE-119). </i>
|
||||
<pre>
|
||||
n = strlen(d);
|
||||
</pre>
|
||||
<li>test.c:64: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));
|
||||
</pre>
|
||||
<li>test.c:66: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName /sizeof(wszUserName[0]));
|
||||
</pre>
|
||||
|
|
|
|||
|
|
@ -3,129 +3,137 @@ Number of dangerous functions in C/C++ ruleset: 160
|
|||
Examining test.c
|
||||
Examining test2.c
|
||||
test.c:32: [5] (buffer) gets:
|
||||
Does not check for buffer overflows. Use fgets() instead.
|
||||
Does not check for buffer overflows (CWE-120). Use fgets() instead.
|
||||
test.c:56: [5] (buffer) strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left.
|
||||
test.c:57: [5] (buffer) _tcsncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left.
|
||||
test.c:60: [5] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters.
|
||||
test.c:62: [5] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters.
|
||||
test.c:73: [5] (misc) SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access.
|
||||
Access), which would even forbid administrator access (CWE-732).
|
||||
test.c:73: [5] (misc) SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access.
|
||||
Access), which would even forbid administrator access (CWE-732).
|
||||
test.c:17: [4] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused).
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused).
|
||||
test.c:20: [4] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf.
|
||||
test.c:21: [4] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf.
|
||||
test.c:22: [4] (format) sprintf:
|
||||
Potential format string problem. Make format string constant.
|
||||
Potential format string problem (CWE-134). Make format string
|
||||
constant.
|
||||
test.c:23: [4] (format) printf:
|
||||
If format strings can be influenced by an attacker, they can be
|
||||
exploited. Use a constant for the format specification.
|
||||
exploited (CWE-134). Use a constant for the format specification.
|
||||
test.c:25: [4] (buffer) scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function.
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function.
|
||||
test.c:27: [4] (buffer) scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function.
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function.
|
||||
test.c:38: [4] (format) syslog:
|
||||
If syslog's format strings can be influenced by an attacker, they can
|
||||
be exploited. Use a constant format string for syslog.
|
||||
be exploited (CWE-134). Use a constant format string for syslog.
|
||||
test.c:49: [4] (buffer) _mbscpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using a function version that stops copying at the end of the
|
||||
buffer.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using a function version that stops copying at the end of
|
||||
the buffer.
|
||||
test.c:52: [4] (buffer) lstrcat:
|
||||
Does not check for buffer overflows when concatenating to destination.
|
||||
Does not check for buffer overflows when concatenating to destination
|
||||
(CWE-120).
|
||||
test.c:75: [3] (shell) CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run.
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run.
|
||||
test.c:75: [3] (shell) CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run.
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run.
|
||||
test.c:91: [3] (buffer) getopt_long:
|
||||
Some older implementations do not protect against internal buffer
|
||||
overflows . Check implementation on installation, or limit the size of all
|
||||
string inputs.
|
||||
overflows (CWE-120). Check implementation on installation, or limit the
|
||||
size of all string inputs.
|
||||
test.c:16: [2] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant string.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant string.
|
||||
test.c:19: [2] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source has a constant maximum length.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source has a constant maximum
|
||||
length.
|
||||
test.c:45: [2] (buffer) char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length.
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119).
|
||||
test.c:46: [2] (buffer) char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length.
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119).
|
||||
test.c:50: [2] (buffer) memcpy:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data.
|
||||
test.c:51: [2] (buffer) CopyMemory:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data.
|
||||
test.c:97: [2] (misc) fopen:
|
||||
Check when opening files - can an attacker redirect it (via symlinks),
|
||||
force the opening of special file type (e.g., device files), move
|
||||
things around to create a race condition, control its ancestors, or change
|
||||
its contents?.
|
||||
its contents? (CWE-362).
|
||||
test.c:15: [1] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant character.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant
|
||||
character.
|
||||
test.c:18: [1] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source is a constant character.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source is a constant character.
|
||||
test.c:26: [1] (buffer) scanf:
|
||||
it's unclear if the %s limit in the format string is small enough.
|
||||
Check that the limit is sufficiently small, or use a different input
|
||||
function.
|
||||
it's unclear if the %s limit in the format string is small enough
|
||||
(CWE-120). Check that the limit is sufficiently small, or use a different
|
||||
input function.
|
||||
test.c:53: [1] (buffer) strncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers.
|
||||
invalid pointers (CWE-120).
|
||||
test.c:54: [1] (buffer) _tcsncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers.
|
||||
invalid pointers (CWE-120).
|
||||
test.c:55: [1] (buffer) strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings.
|
||||
test.c:58: [1] (buffer) strlen:
|
||||
Does not handle strings that are not \0-terminated (it could cause a
|
||||
crash if unprotected).
|
||||
crash if unprotected) (CWE-119).
|
||||
test.c:64: [1] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes.
|
||||
test.c:66: [1] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes.
|
||||
|
||||
Hits = 36
|
||||
Lines analyzed = 118
|
||||
|
|
|
|||
148
flawfinder
148
flawfinder
|
|
@ -606,7 +606,7 @@ def c_sprintf(hit):
|
|||
# otherwise, warn of potential buffer overflow (the default)
|
||||
else:
|
||||
# Ho ho - a nonconstant format string - we have a different problem.
|
||||
hit.warning = "Potential format string problem"
|
||||
hit.warning = "Potential format string problem (CWE-134)"
|
||||
hit.suggestion = "Make format string constant"
|
||||
hit.level = 4
|
||||
hit.category = "format"
|
||||
|
|
@ -628,7 +628,7 @@ def c_scanf(hit):
|
|||
elif p_low_risk_scanf_format.search(source):
|
||||
# This is often okay, but sometimes extremely serious.
|
||||
hit.level = 1
|
||||
hit.warning = "it's unclear if the %s limit in the format string is small enough"
|
||||
hit.warning = "it's unclear if the %s limit in the format string is small enough (CWE-120)"
|
||||
hit.suggestion = "Check that the limit is sufficiently small, or use a different input function"
|
||||
else:
|
||||
# No risky scanf request.
|
||||
|
|
@ -701,27 +701,27 @@ def normal(hit):
|
|||
c_ruleset = {
|
||||
"strcpy" :
|
||||
(c_buffer, 4,
|
||||
"Does not check for buffer overflows when copying to destination",
|
||||
"Consider using strncpy or strlcpy (warning, strncpy is easily misused)",
|
||||
"Does not check for buffer overflows when copying to destination (CWE-120)",
|
||||
"Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily misused)",
|
||||
"buffer", "", {}),
|
||||
"lstrcpy|wcscpy|_tcscpy|_mbscpy" :
|
||||
(c_buffer, 4,
|
||||
"Does not check for buffer overflows when copying to destination",
|
||||
"Does not check for buffer overflows when copying to destination (CWE-120)",
|
||||
"Consider using a function version that stops copying at the end of the buffer",
|
||||
"buffer", "", {}),
|
||||
"memcpy|CopyMemory|bcopy" :
|
||||
(normal, 2, # I've found this to have a lower risk in practice.
|
||||
"Does not check for buffer overflows when copying to destination",
|
||||
"Does not check for buffer overflows when copying to destination (CWE-120)",
|
||||
"Make sure destination can always hold the source data",
|
||||
"buffer", "", {}),
|
||||
"strcat" :
|
||||
(c_buffer, 4,
|
||||
"Does not check for buffer overflows when concatenating to destination",
|
||||
"Consider using strncat or strlcat (warning, strncat is easily misused)",
|
||||
"Does not check for buffer overflows when concatenating to destination (CWE-120)",
|
||||
"Consider using strcat_s, strncat, or strlcat (warning, strncat is easily misused)",
|
||||
"buffer", "", {}),
|
||||
"lstrcat|wcscat|_tcscat|_mbscat" :
|
||||
(c_buffer, 4,
|
||||
"Does not check for buffer overflows when concatenating to destination",
|
||||
"Does not check for buffer overflows when concatenating to destination (CWE-120)",
|
||||
"",
|
||||
"buffer", "", {}),
|
||||
"strncpy" :
|
||||
|
|
@ -729,7 +729,7 @@ c_ruleset = {
|
|||
1, # Low risk level, because this is often used correctly when FIXING security
|
||||
# problems, and raising it to a higher risk level would cause many false positives.
|
||||
"Easily used incorrectly; doesn't always \\0-terminate or " +
|
||||
"check for invalid pointers",
|
||||
"check for invalid pointers (CWE-120)",
|
||||
"",
|
||||
"buffer", "", {}),
|
||||
"lstrcpyn|wcsncpy|_tcsncpy|_mbsnbcpy" :
|
||||
|
|
@ -737,7 +737,7 @@ c_ruleset = {
|
|||
1, # Low risk level, because this is often used correctly when FIXING security
|
||||
# problems, and raising it to a higher risk levle would cause many false positives.
|
||||
"Easily used incorrectly; doesn't always \\0-terminate or " +
|
||||
"check for invalid pointers",
|
||||
"check for invalid pointers (CWE-120)",
|
||||
"",
|
||||
"buffer", "", {}),
|
||||
"strncat" :
|
||||
|
|
@ -745,49 +745,50 @@ c_ruleset = {
|
|||
1, # Low risk level, because this is often used correctly when
|
||||
# FIXING security problems, and raising it to a
|
||||
# higher risk level would cause many false positives.
|
||||
"Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add)",
|
||||
"Consider strlcat or automatically resizing strings",
|
||||
"Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) (CWE-120)",
|
||||
"Consider strcat_s, strlcat, or automatically resizing strings",
|
||||
"buffer", "", {}),
|
||||
"lstrcatn|wcsncat|_tcsncat|_mbsnbcat" :
|
||||
(c_strncat,
|
||||
1, # Low risk level, because this is often used correctly when FIXING security
|
||||
# problems, and raising it to a higher risk level would cause many false positives.
|
||||
"Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add)",
|
||||
"Consider strlcat or automatically resizing strings",
|
||||
"Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) (CWE-120)",
|
||||
"Consider strcat_s, strlcat, or automatically resizing strings",
|
||||
"buffer", "", {}),
|
||||
"strccpy|strcadd":
|
||||
(normal, 1,
|
||||
"Subject to buffer overflow if buffer is not as big as claimed",
|
||||
"Subject to buffer overflow if buffer is not as big as claimed (CWE-120)",
|
||||
"Ensure that destination buffer is sufficiently large",
|
||||
"buffer", "", {}),
|
||||
"char|TCHAR|wchar_t": # This isn't really a function call, but it works.
|
||||
(c_static_array, 2,
|
||||
"Statically-sized arrays can be overflowed",
|
||||
"Statically-sized arrays can be overflowed (CWE-120)",
|
||||
("Perform bounds checking, use functions that limit length, " +
|
||||
"or ensure that the size is larger than the maximum possible length"),
|
||||
"or ensure that the size is larger than the maximum possible length " +
|
||||
"(CWE-119)"),
|
||||
"buffer", "", {'extract_lookahead' : 1}),
|
||||
|
||||
"gets|_getts":
|
||||
(normal, 5, "Does not check for buffer overflows",
|
||||
(normal, 5, "Does not check for buffer overflows (CWE-120)",
|
||||
"Use fgets() instead", "buffer", "", {'input' : 1}),
|
||||
|
||||
# The "sprintf" hook will raise "format" issues instead if appropriate:
|
||||
"sprintf|vsprintf|swprintf|vswprintf|_stprintf|_vstprintf":
|
||||
(c_sprintf, 4,
|
||||
"Does not check for buffer overflows",
|
||||
"Use snprintf or vsnprintf",
|
||||
"Does not check for buffer overflows (CWE-120)",
|
||||
"Use sprintf_s, snprintf, or vsnprintf",
|
||||
"buffer", "", {}),
|
||||
|
||||
# TODO: Add "wide character" versions of these functions.
|
||||
"printf|vprintf|vwprintf|vfwprintf|_vtprintf":
|
||||
(c_printf, 4,
|
||||
"If format strings can be influenced by an attacker, they can be exploited",
|
||||
"If format strings can be influenced by an attacker, they can be exploited (CWE-134)",
|
||||
"Use a constant for the format specification",
|
||||
"format", "", {}),
|
||||
|
||||
"fprintf|vfprintf|_ftprintf|_vftprintf":
|
||||
(c_printf, 4,
|
||||
"If format strings can be influenced by an attacker, they can be exploited",
|
||||
"If format strings can be influenced by an attacker, they can be exploited (CWE-134)",
|
||||
"Use a constant for the format specification",
|
||||
"format", "", { 'format_position' : 2}),
|
||||
|
||||
|
|
@ -795,21 +796,21 @@ c_ruleset = {
|
|||
"syslog":
|
||||
(c_printf, 4,
|
||||
"If syslog's format strings can be influenced by an attacker, " +
|
||||
"they can be exploited",
|
||||
"they can be exploited (CWE-134)",
|
||||
"Use a constant format string for syslog",
|
||||
"format", "", { 'format_position' : 2} ),
|
||||
|
||||
"snprintf|vsnprintf|_snprintf|_sntprintf|_vsntprintf":
|
||||
(c_printf, 4,
|
||||
"If format strings can be influenced by an attacker, they can be " +
|
||||
"exploited, and note that sprintf variations do not always \\0-terminate",
|
||||
"exploited, and note that sprintf variations do not always \\0-terminate (CWE-134)",
|
||||
"Use a constant for the format specification",
|
||||
"format", "", { 'format_position' : 3}),
|
||||
|
||||
"scanf|vscanf|wscanf|_tscanf":
|
||||
(c_scanf, 4,
|
||||
"The scanf() family's %s operation, without a limit specification, " +
|
||||
"permits buffer overflows",
|
||||
"permits buffer overflows (CWE-120)",
|
||||
"Specify a limit to %s, or use a different input function",
|
||||
"buffer", "", {'input' : 1}),
|
||||
|
||||
|
|
@ -825,33 +826,33 @@ c_ruleset = {
|
|||
1, # Often this isn't really a risk, and even when, it usually at worst causes
|
||||
# program crash (and nothing worse).
|
||||
"Does not handle strings that are not \\0-terminated (it could cause a crash " +
|
||||
"if unprotected)",
|
||||
"if unprotected) (CWE-119)",
|
||||
"",
|
||||
"buffer", "", {}),
|
||||
|
||||
"MultiByteToWideChar" : # Windows
|
||||
(c_multi_byte_to_wide_char,
|
||||
2, # Only the default - this will be changed in many cases.
|
||||
"Requires maximum length in CHARACTERS, not bytes",
|
||||
"Requires maximum length in CHARACTERS, not bytes (CWE-120)",
|
||||
"",
|
||||
"buffer", "", {}),
|
||||
|
||||
"streadd|strecpy":
|
||||
(normal, 4,
|
||||
"This function does not protect against buffer overflows",
|
||||
"This function does not protect against buffer overflows (CWE-120)",
|
||||
"Ensure the destination has 4 times the size of the source, to leave room for expansion",
|
||||
"buffer", "dangers-c", {}),
|
||||
|
||||
"strtrns":
|
||||
(normal, 3,
|
||||
"This function does not protect against buffer overflows",
|
||||
"This function does not protect against buffer overflows (CWE-120)",
|
||||
"Ensure that destination is at least as long as the source",
|
||||
"buffer", "dangers-c", {}),
|
||||
|
||||
"realpath":
|
||||
(normal, 3,
|
||||
"This function does not protect against buffer overflows, " +
|
||||
"and some implementations can overflow internally",
|
||||
"and some implementations can overflow internally (CWE-120)",
|
||||
"Ensure that the destination buffer is at least of size MAXPATHLEN, and" +
|
||||
"to protect against implementation problems, the input argument should also " +
|
||||
"be checked to ensure it is no larger than MAXPATHLEN",
|
||||
|
|
@ -859,27 +860,27 @@ c_ruleset = {
|
|||
|
||||
"getopt|getopt_long":
|
||||
(normal, 3,
|
||||
"Some older implementations do not protect against internal buffer overflows ",
|
||||
"Some older implementations do not protect against internal buffer overflows (CWE-120)",
|
||||
"Check implementation on installation, or limit the size of all string inputs",
|
||||
"buffer", "dangers-c", {'input' : 1}),
|
||||
|
||||
"getpass":
|
||||
(normal, 3,
|
||||
"Some implementations may overflow buffers",
|
||||
"Some implementations may overflow buffers (CWE-120)",
|
||||
"",
|
||||
"buffer", "dangers-c", {'input' : 1}),
|
||||
|
||||
"getwd":
|
||||
(normal, 3,
|
||||
"This does not protect against buffer overflows "
|
||||
"by itself, so use with caution",
|
||||
"by itself, so use with caution (CWE-120)",
|
||||
"Use getcwd instead",
|
||||
"buffer", "dangers-c", {'input' : 1}),
|
||||
|
||||
# fread not included here; in practice I think it's rare to mistake it.
|
||||
"getchar|fgetc|getc|read|_gettc":
|
||||
(normal, 1,
|
||||
"Check buffer boundaries if used in a loop", # loops may be via recursion, too.
|
||||
"Check buffer boundaries if used in a loop including recursive loops (CWE-120)",
|
||||
"",
|
||||
"buffer", "dangers-c", {'input' : 1}),
|
||||
|
||||
|
|
@ -888,7 +889,7 @@ c_ruleset = {
|
|||
"This usually indicates a security flaw. If an " +
|
||||
"attacker can change anything along the path between the " +
|
||||
"call to access() and the file's actual use (e.g., by moving " +
|
||||
"files), the attacker can exploit the race condition",
|
||||
"files), the attacker can exploit the race condition (CWE-362)",
|
||||
"Set up the correct permissions (e.g., using setuid()) and " +
|
||||
"try to open the file directly",
|
||||
"race",
|
||||
|
|
@ -896,32 +897,33 @@ c_ruleset = {
|
|||
"chown":
|
||||
(normal, 5,
|
||||
"This accepts filename arguments; if an attacker " +
|
||||
"can move those files, a race condition results. ",
|
||||
"can move those files, a race condition results. (CWE-362)",
|
||||
"Use fchown( ) instead",
|
||||
"race", "", {}),
|
||||
"chgrp":
|
||||
(normal, 5,
|
||||
"This accepts filename arguments; if an attacker " +
|
||||
"can move those files, a race condition results. ",
|
||||
"can move those files, a race condition results. (CWE-362)",
|
||||
"Use fchgrp( ) instead",
|
||||
"race", "", {}),
|
||||
"chmod":
|
||||
(normal, 5,
|
||||
"This accepts filename arguments; if an attacker " +
|
||||
"can move those files, a race condition results. ",
|
||||
"can move those files, a race condition results. (CWE-362)",
|
||||
"Use fchmod( ) instead",
|
||||
"race", "", {}),
|
||||
"vfork":
|
||||
(normal, 2,
|
||||
"On some old systems, vfork() permits race conditions, and it's " +
|
||||
"very difficult to use correctly",
|
||||
"very difficult to use correctly (CWE-362)",
|
||||
"Use fork() instead",
|
||||
"race", "", {}),
|
||||
"readlink":
|
||||
(normal, 5,
|
||||
"This accepts filename arguments; if an attacker " +
|
||||
"can move those files or change the link content, " +
|
||||
"a race condition results. Also, it does not terminate with ASCII NUL",
|
||||
"a race condition results. " +
|
||||
"Also, it does not terminate with ASCII NUL. (CWE-362)",
|
||||
# This is often just a bad idea, and it's hard to suggest a
|
||||
# simple alternative:
|
||||
"Reconsider approach",
|
||||
|
|
@ -929,37 +931,37 @@ c_ruleset = {
|
|||
|
||||
"tmpfile":
|
||||
(normal, 2,
|
||||
"Function tmpfile() has a security flaw on some systems (e.g., older System V systems)",
|
||||
"Function tmpfile() has a security flaw on some systems (e.g., older System V systems) (CWE-377)",
|
||||
"",
|
||||
"tmpfile", "", {}),
|
||||
"tmpnam|tempnam":
|
||||
(normal, 3,
|
||||
"Temporary file race condition",
|
||||
"Temporary file race condition (CWE-377)",
|
||||
"",
|
||||
"tmpfile", "avoid-race", {}),
|
||||
|
||||
# TODO: Detect GNOME approach to mktemp and ignore it.
|
||||
"mktemp":
|
||||
(normal, 4,
|
||||
"Temporary file race condition",
|
||||
"Temporary file race condition (CWE-377)",
|
||||
"",
|
||||
"tmpfile", "avoid-race", {}),
|
||||
|
||||
"mkstemp":
|
||||
(normal, 2,
|
||||
"Potential for temporary file vulnerability in some circumstances. Some older Unix-like systems create temp files with permission to write by all by default, so be sure to set the umask to override this. Also, some older Unix systems might fail to use O_EXCL when opening the file, so make sure that O_EXCL is used by the library",
|
||||
"Potential for temporary file vulnerability in some circumstances. Some older Unix-like systems create temp files with permission to write by all by default, so be sure to set the umask to override this. Also, some older Unix systems might fail to use O_EXCL when opening the file, so make sure that O_EXCL is used by the library (CWE-377)",
|
||||
"",
|
||||
"tmpfile", "avoid-race", {}),
|
||||
|
||||
"fopen|open":
|
||||
(normal, 2,
|
||||
"Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?",
|
||||
"Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)",
|
||||
"",
|
||||
"misc", "", {}),
|
||||
|
||||
"umask":
|
||||
(normal, 1,
|
||||
"Ensure that umask is given most restrictive possible setting (e.g., 066 or 077)",
|
||||
"Ensure that umask is given most restrictive possible setting (e.g., 066 or 077) (CWE-732)",
|
||||
"",
|
||||
"access", "", {}),
|
||||
|
||||
|
|
@ -967,14 +969,14 @@ c_ruleset = {
|
|||
"GetTempFileName":
|
||||
(normal, 3,
|
||||
"Temporary file race condition in certain cases " +
|
||||
"(e.g., if run as SYSTEM in many versions of Windows)",
|
||||
"(e.g., if run as SYSTEM in many versions of Windows) (CWE-377)",
|
||||
"",
|
||||
"tmpfile", "avoid-race", {}),
|
||||
|
||||
# TODO: Need to detect varying levels of danger.
|
||||
"execl|execlp|execle|execv|execvp|system|popen|WinExec|ShellExecute":
|
||||
(normal, 4,
|
||||
"This causes a new program to execute and is difficult to use safely",
|
||||
"This causes a new program to execute and is difficult to use safely (CWE-78)",
|
||||
"try using a library call that implements the same functionality " +
|
||||
"if available",
|
||||
"shell", "", {}),
|
||||
|
|
@ -982,7 +984,7 @@ c_ruleset = {
|
|||
# TODO: Need to detect varying levels of danger.
|
||||
"execl|execlp|execle|execv|execvp|system|popen|WinExec|ShellExecute":
|
||||
(normal, 4,
|
||||
"This causes a new program to execute and is difficult to use safely",
|
||||
"This causes a new program to execute and is difficult to use safely (CWE-78)",
|
||||
"try using a library call that implements the same functionality " +
|
||||
"if available",
|
||||
"shell", "", {}),
|
||||
|
|
@ -991,7 +993,7 @@ c_ruleset = {
|
|||
# second param with embedded space. Windows.
|
||||
"CreateProcessAsUser|CreateProcessWithLogon":
|
||||
(normal, 3,
|
||||
"This causes a new process to execute and is difficult to use safely",
|
||||
"This causes a new process to execute and is difficult to use safely (CWE-78)",
|
||||
"Especially watch out for embedded spaces",
|
||||
"shell", "", {}),
|
||||
|
||||
|
|
@ -999,7 +1001,7 @@ c_ruleset = {
|
|||
# second param with embedded space. Windows.
|
||||
"CreateProcess":
|
||||
(c_hit_if_null, 3,
|
||||
"This causes a new process to execute and is difficult to use safely",
|
||||
"This causes a new process to execute and is difficult to use safely (CWE-78)",
|
||||
"Specify the application path in the first argument, NOT as part of the second, " +
|
||||
"or embedded spaces could allow an attacker to force a different program to run",
|
||||
"shell", "", {'check_for_null' : 1}),
|
||||
|
|
@ -1009,13 +1011,13 @@ c_ruleset = {
|
|||
"Unless checked, the resulting number can exceed the expected range",
|
||||
" If source untrusted, check both minimum and maximum, even if the" +
|
||||
" input had no minus sign (large numbers can roll over into negative" +
|
||||
" number; consider saving to an unsigned value if that is intended)",
|
||||
" number; consider saving to an unsigned value if that is intended) (CWE-190)",
|
||||
"integer", "dangers-c", {}),
|
||||
|
||||
# Random values. Don't trigger on "initstate", it's too common a term.
|
||||
"drand48|erand48|jrand48|lcong48|lrand48|mrand48|nrand48|random|seed48|setstate|srand|strfry|srandom":
|
||||
(normal, 3,
|
||||
"This function is not sufficiently random for security-related functions such as key and nonce creation",
|
||||
"This function is not sufficiently random for security-related functions such as key and nonce creation (CWE-327)",
|
||||
"use a more secure technique for acquiring random values",
|
||||
"random", "", {}),
|
||||
|
||||
|
|
@ -1023,14 +1025,14 @@ c_ruleset = {
|
|||
(normal, 4,
|
||||
"Function crypt is a poor one-way hashing algorithm; since it only accepts passwords of 8 " +
|
||||
"characters or less, and only a two-byte salt, it is excessively vulnerable to " +
|
||||
"dictionary attacks given today's faster computing equipment",
|
||||
"dictionary attacks given today's faster computing equipment (CWE-327)",
|
||||
"Use a different algorithm, such as SHA-1, with a larger non-repeating salt",
|
||||
"crypto", "", {}),
|
||||
|
||||
# OpenSSL EVP calls to use DES.
|
||||
"EVP_des_ecb|EVP_des_cbc|EVP_des_cfb|EVP_des_ofb|EVP_desx_cbc":
|
||||
(normal, 4,
|
||||
"DES only supports a 56-bit keysize, which is too small given today's computers",
|
||||
"DES only supports a 56-bit keysize, which is too small given today's computers (CWE-327)",
|
||||
"Use a different patent-free encryption algorithm with a larger keysize, " +
|
||||
"such as 3DES or AES",
|
||||
"crypto", "", {}),
|
||||
|
|
@ -1038,14 +1040,14 @@ c_ruleset = {
|
|||
# Other OpenSSL EVP calls to use small keys.
|
||||
"EVP_rc4_40|EVP_rc2_40_cbc|EVP_rc2_64_cbc":
|
||||
(normal, 4,
|
||||
"These keysizes are too small given today's computers",
|
||||
"These keysizes are too small given today's computers (CWE-327)",
|
||||
"Use a different patent-free encryption algorithm with a larger keysize, " +
|
||||
"such as 3DES or AES",
|
||||
"crypto", "", {}),
|
||||
|
||||
"chroot":
|
||||
(normal, 3,
|
||||
"chroot can be very helpful, but is hard to use correctly",
|
||||
"chroot can be very helpful, but is hard to use correctly (CWE-250, CWE-22)",
|
||||
"Make sure the program immediately chdir(\"/\")," +
|
||||
" closes file descriptors," +
|
||||
" and drops root privileges, and that all necessary files" +
|
||||
|
|
@ -1055,7 +1057,7 @@ c_ruleset = {
|
|||
"getenv|curl_getenv":
|
||||
(normal, 3, "Environment variables are untrustable input if they can be" +
|
||||
" set by an attacker. They can have any content and" +
|
||||
" length, and the same variable can be set more than once",
|
||||
" length, and the same variable can be set more than once (CWE-807)",
|
||||
"Check environment variables carefully before using them",
|
||||
"buffer", "", {'input' : 1}),
|
||||
|
||||
|
|
@ -1063,7 +1065,7 @@ c_ruleset = {
|
|||
(normal, 3, "This function is synonymous with 'getenv(\"HOME\")';" +
|
||||
"it returns untrustable input if the environment can be" +
|
||||
"set by an attacker. It can have any content and length, " +
|
||||
"and the same variable can be set more than once",
|
||||
"and the same variable can be set more than once (CWE-807)",
|
||||
"Check environment variables carefully before using them",
|
||||
"buffer", "", {'input' : 1}),
|
||||
|
||||
|
|
@ -1071,7 +1073,7 @@ c_ruleset = {
|
|||
(normal, 3, "This function is synonymous with 'getenv(\"TMP\")';" +
|
||||
"it returns untrustable input if the environment can be" +
|
||||
"set by an attacker. It can have any content and length, " +
|
||||
"and the same variable can be set more than once",
|
||||
"and the same variable can be set more than once (CWE-807)",
|
||||
"Check environment variables carefully before using them",
|
||||
"buffer", "", {'input' : 1}),
|
||||
|
||||
|
|
@ -1082,7 +1084,7 @@ c_ruleset = {
|
|||
"RpcImpersonateClient|ImpersonateLoggedOnUser|CoImpersonateClient|" +
|
||||
"ImpersonateNamedPipeClient|ImpersonateDdeClientWindow|ImpersonateSecurityContext|" +
|
||||
"SetThreadToken":
|
||||
(normal, 4, "If this call fails, the program could fail to drop heightened privileges",
|
||||
(normal, 4, "If this call fails, the program could fail to drop heightened privileges (CWE-250)",
|
||||
"Make sure the return value is checked, and do not continue if a failure is reported",
|
||||
"access", "", {}),
|
||||
|
||||
|
|
@ -1097,68 +1099,68 @@ c_ruleset = {
|
|||
"misc", "", {}),
|
||||
|
||||
"LoadLibrary|LoadLibraryEx":
|
||||
(normal, 3, "Ensure that the full path to the library is specified, or current directory may be used",
|
||||
(normal, 3, "Ensure that the full path to the library is specified, or current directory may be used (CWE-829)",
|
||||
"Use registry entry or GetWindowsDirectory to find library path, if you aren't already",
|
||||
"misc", "", {'input' : 1}),
|
||||
|
||||
"SetSecurityDescriptorDacl":
|
||||
(c_hit_if_null, 5,
|
||||
"Never create NULL ACLs; an attacker can set it to Everyone (Deny All Access), " +
|
||||
"which would even forbid administrator access",
|
||||
"which would even forbid administrator access (CWE-732)",
|
||||
"",
|
||||
"misc", "", {'check_for_null' : 3}),
|
||||
|
||||
"AddAccessAllowedAce":
|
||||
(normal, 3,
|
||||
"This doesn't set the inheritance bits in the access control entry (ACE) header",
|
||||
"This doesn't set the inheritance bits in the access control entry (ACE) header (CWE-732)",
|
||||
"Make sure that you set inheritance by hand if you wish it to inherit",
|
||||
"misc", "", {}),
|
||||
|
||||
"getlogin":
|
||||
(normal, 4,
|
||||
"It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin() for security-related purposes",
|
||||
"It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin() for security-related purposes (CWE-807)",
|
||||
"Use getpwuid(geteuid()) and extract the desired information instead",
|
||||
"misc", "", {}),
|
||||
|
||||
"cuserid":
|
||||
(normal, 4,
|
||||
"Exactly what cuserid() does is poorly defined (e.g., some systems use the effective uid, like Linux, while others like System V use the real uid). Thus, you can't trust what it does. It's certainly not portable (The cuserid function was included in the 1988 version of POSIX, but removed from the 1990 version). Also, if passed a non-null parameter, there's a risk of a buffer overflow if the passed-in buffer is not at least L_cuserid characters long",
|
||||
"Exactly what cuserid() does is poorly defined (e.g., some systems use the effective uid, like Linux, while others like System V use the real uid). Thus, you can't trust what it does. It's certainly not portable (The cuserid function was included in the 1988 version of POSIX, but removed from the 1990 version). Also, if passed a non-null parameter, there's a risk of a buffer overflow if the passed-in buffer is not at least L_cuserid characters long (CWE-120)",
|
||||
"Use getpwuid(geteuid()) and extract the desired information instead",
|
||||
"misc", "", {}),
|
||||
|
||||
"getpw":
|
||||
(normal, 4,
|
||||
"This function is dangerous; it may overflow the provided buffer. It extracts data from a 'protected' area, but most systems have many commands to let users modify the protected area, and it's not always clear what their limits are. Best to avoid using this function altogether",
|
||||
"This function is dangerous; it may overflow the provided buffer. It extracts data from a 'protected' area, but most systems have many commands to let users modify the protected area, and it's not always clear what their limits are. Best to avoid using this function altogether (CWE-676, CWE-120)",
|
||||
"Use getpwuid() instead",
|
||||
"buffer", "", {}),
|
||||
|
||||
"getpass":
|
||||
(normal, 4,
|
||||
"This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data (e.g., /dev/tty, stdin, stderr, etc.)",
|
||||
"This function is obsolete and not portable. It was in SUSv2 but removed by POSIX.2. What it does exactly varies considerably between systems, particularly in where its prompt is displayed and where it gets its data (e.g., /dev/tty, stdin, stderr, etc.) (CWE-676)",
|
||||
"Make the specific calls to do exactly what you want. If you continue to use it, or write your own, be sure to zero the password as soon as possible to avoid leaving the cleartext password visible in the process' address space",
|
||||
"misc", "", {}),
|
||||
|
||||
"gsignal|ssignal":
|
||||
(normal, 2,
|
||||
"These functions are considered obsolete on most systems, and very non-poertable (Linux-based systems handle them radically different, basically if gsignal/ssignal were the same as raise/signal respectively, while System V considers them a separate set and obsolete)",
|
||||
"These functions are considered obsolete on most systems, and very non-poertable (Linux-based systems handle them radically different, basically if gsignal/ssignal were the same as raise/signal respectively, while System V considers them a separate set and obsolete) (CWE-676)",
|
||||
"Switch to raise/signal, or some other signalling approach",
|
||||
"obsolete", "", {}),
|
||||
|
||||
"memalign":
|
||||
(normal, 1,
|
||||
"On some systems (though not Linux-based systems) an attempt to free() results from memalign() may fail. This may, on a few systems, be exploitable. Also note that memalign() may not check that the boundary parameter is correct",
|
||||
"On some systems (though not Linux-based systems) an attempt to free() results from memalign() may fail. This may, on a few systems, be exploitable. Also note that memalign() may not check that the boundary parameter is correct (CWE-676)",
|
||||
"Use posix_memalign instead (defined in POSIX's 1003.1d). Don't switch to valloc(); it is marked as obsolete in BSD 4.3, as legacy in SUSv2, and is no longer defined in SUSv3. In some cases, malloc()'s alignment may be sufficient",
|
||||
"free", "", {}),
|
||||
|
||||
"ulimit":
|
||||
(normal, 1,
|
||||
"This C routine is considered obsolete (as opposed to the shell command by the same name, which is NOT obsolete)",
|
||||
"This C routine is considered obsolete (as opposed to the shell command by the same name, which is NOT obsolete) (CWE-676)",
|
||||
"Use getrlimit(2), setrlimit(2), and sysconf(3) instead",
|
||||
"obsolete", "", {}),
|
||||
|
||||
"usleep":
|
||||
(normal, 1,
|
||||
"This C routine is considered obsolete (as opposed to the shell command by the same name). The interaction of this function with SIGALRM and other timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is unspecified",
|
||||
"This C routine is considered obsolete (as opposed to the shell command by the same name). The interaction of this function with SIGALRM and other timer functions such as sleep(), alarm(), setitimer(), and nanosleep() is unspecified (CWE-676)",
|
||||
"Use nanosleep(2) or setitimer(2) instead",
|
||||
"obsolete", "", {}),
|
||||
|
||||
|
|
|
|||
11
flawfinder.1
11
flawfinder.1
|
|
@ -93,6 +93,17 @@ Normally flawfinder shows all hits with a risk level of at least 1,
|
|||
but you can use the \-\-minlevel option
|
||||
to show only hits with higher risk levels if you wish.
|
||||
.PP
|
||||
Hit descriptions typically include a relevant
|
||||
Common Weakness Enumeration (CWE) identifier in parentheses.
|
||||
For example, many of the buffer-related hits mention
|
||||
CWE-120, the CWE identifier for
|
||||
``buffer copy without checking size of input''
|
||||
(aka ``Classic Buffer Overflow'').
|
||||
For more information on CWEs, see http://cwe.mitre.org.
|
||||
CWEs were preferentially assigned from the CWE/SANS top 25 list
|
||||
(http://cwe.mitre.org/top25/),
|
||||
though in some cases a more specific or general CWE is used.
|
||||
.PP
|
||||
Not every hit is actually a security vulnerability,
|
||||
and not every security vulnerability is necessarily found.
|
||||
Nevertheless, flawfinder can be an aid in finding and removing
|
||||
|
|
|
|||
|
|
@ -17,170 +17,176 @@ Examining test.c <br>
|
|||
Examining test2.c <br>
|
||||
<ul>
|
||||
<li>test.c:32: <b> [5] </b> (buffer) <i> gets:
|
||||
Does not check for buffer overflows. Use fgets() instead. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use fgets() instead. </i>
|
||||
<pre>
|
||||
gets(f);
|
||||
</pre>
|
||||
<li>test.c:56: <b> [5] </b> (buffer) <i> strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left. </i>
|
||||
<pre>
|
||||
strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
|
||||
</pre>
|
||||
<li>test.c:57: <b> [5] </b> (buffer) <i> _tcsncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left. </i>
|
||||
<pre>
|
||||
_tcsncat(d,s,sizeof(d)); /* Misuse - flag as riskier */
|
||||
</pre>
|
||||
<li>test.c:60: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));
|
||||
</pre>
|
||||
<li>test.c:62: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName);
|
||||
</pre>
|
||||
<li>test.c:73: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access. </i>
|
||||
Access), which would even forbid administrator access (CWE-732). </i>
|
||||
<pre>
|
||||
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
||||
</pre>
|
||||
<li>test.c:73: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access. </i>
|
||||
Access), which would even forbid administrator access (CWE-732). </i>
|
||||
<pre>
|
||||
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
||||
</pre>
|
||||
<li>test.c:17: <b> [4] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). </i>
|
||||
<pre>
|
||||
strcpy(b, a);
|
||||
</pre>
|
||||
<li>test.c:20: <b> [4] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. </i>
|
||||
<pre>
|
||||
sprintf(s, "hello %s", bug);
|
||||
</pre>
|
||||
<li>test.c:21: <b> [4] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. </i>
|
||||
<pre>
|
||||
sprintf(s, gettext("hello %s"), bug);
|
||||
</pre>
|
||||
<li>test.c:22: <b> [4] </b> (format) <i> sprintf:
|
||||
Potential format string problem. Make format string constant. </i>
|
||||
Potential format string problem (CWE-134). Make format string
|
||||
constant. </i>
|
||||
<pre>
|
||||
sprintf(s, unknown, bug);
|
||||
</pre>
|
||||
<li>test.c:23: <b> [4] </b> (format) <i> printf:
|
||||
If format strings can be influenced by an attacker, they can be
|
||||
exploited. Use a constant for the format specification. </i>
|
||||
exploited (CWE-134). Use a constant for the format specification. </i>
|
||||
<pre>
|
||||
printf(bf, x);
|
||||
</pre>
|
||||
<li>test.c:25: <b> [4] </b> (buffer) <i> scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function. </i>
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function. </i>
|
||||
<pre>
|
||||
scanf("%s", s);
|
||||
</pre>
|
||||
<li>test.c:27: <b> [4] </b> (buffer) <i> scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function. </i>
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function. </i>
|
||||
<pre>
|
||||
scanf("%s", s);
|
||||
</pre>
|
||||
<li>test.c:38: <b> [4] </b> (format) <i> syslog:
|
||||
If syslog's format strings can be influenced by an attacker, they can
|
||||
be exploited. Use a constant format string for syslog. </i>
|
||||
be exploited (CWE-134). Use a constant format string for syslog. </i>
|
||||
<pre>
|
||||
syslog(LOG_ERR, attacker_string);
|
||||
</pre>
|
||||
<li>test.c:49: <b> [4] </b> (buffer) <i> _mbscpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using a function version that stops copying at the end of the
|
||||
buffer. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using a function version that stops copying at the end of
|
||||
the buffer. </i>
|
||||
<pre>
|
||||
_mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
|
||||
</pre>
|
||||
<li>test.c:52: <b> [4] </b> (buffer) <i> lstrcat:
|
||||
Does not check for buffer overflows when concatenating to destination. </i>
|
||||
Does not check for buffer overflows when concatenating to destination
|
||||
(CWE-120). </i>
|
||||
<pre>
|
||||
lstrcat(d,s);
|
||||
</pre>
|
||||
<li>test.c:75: <b> [3] </b> (shell) <i> CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run. </i>
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run. </i>
|
||||
<pre>
|
||||
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
||||
</pre>
|
||||
<li>test.c:75: <b> [3] </b> (shell) <i> CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run. </i>
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run. </i>
|
||||
<pre>
|
||||
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
||||
</pre>
|
||||
<li>test.c:91: <b> [3] </b> (buffer) <i> getopt_long:
|
||||
Some older implementations do not protect against internal buffer
|
||||
overflows . Check implementation on installation, or limit the size of all
|
||||
string inputs. </i>
|
||||
overflows (CWE-120). Check implementation on installation, or limit the
|
||||
size of all string inputs. </i>
|
||||
<pre>
|
||||
while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
|
||||
</pre>
|
||||
<li>test.c:16: <b> [2] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant string. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant string. </i>
|
||||
<pre>
|
||||
strcpy(a, gettext("Hello there")); // Did this work?
|
||||
</pre>
|
||||
<li>test.c:19: <b> [2] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source has a constant maximum length. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source has a constant maximum
|
||||
length. </i>
|
||||
<pre>
|
||||
sprintf(s, "hello");
|
||||
</pre>
|
||||
<li>test.c:45: <b> [2] </b> (buffer) <i> char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length. </i>
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119). </i>
|
||||
<pre>
|
||||
char d[20];
|
||||
</pre>
|
||||
<li>test.c:46: <b> [2] </b> (buffer) <i> char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length. </i>
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119). </i>
|
||||
<pre>
|
||||
char s[20];
|
||||
</pre>
|
||||
<li>test.c:50: <b> [2] </b> (buffer) <i> memcpy:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data. </i>
|
||||
<pre>
|
||||
memcpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:51: <b> [2] </b> (buffer) <i> CopyMemory:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data. </i>
|
||||
<pre>
|
||||
CopyMemory(d,s);
|
||||
</pre>
|
||||
|
|
@ -188,63 +194,65 @@ Examining test2.c <br>
|
|||
Check when opening files - can an attacker redirect it (via symlinks),
|
||||
force the opening of special file type (e.g., device files), move
|
||||
things around to create a race condition, control its ancestors, or change
|
||||
its contents?. </i>
|
||||
its contents? (CWE-362). </i>
|
||||
<pre>
|
||||
f = fopen("/etc/passwd", "r");
|
||||
</pre>
|
||||
<li>test.c:15: <b> [1] </b> (buffer) <i> strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant character. </i>
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant
|
||||
character. </i>
|
||||
<pre>
|
||||
strcpy(a, "\n"); // Did this work?
|
||||
</pre>
|
||||
<li>test.c:18: <b> [1] </b> (buffer) <i> sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source is a constant character. </i>
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source is a constant character. </i>
|
||||
<pre>
|
||||
sprintf(s, "\n");
|
||||
</pre>
|
||||
<li>test.c:26: <b> [1] </b> (buffer) <i> scanf:
|
||||
it's unclear if the %s limit in the format string is small enough.
|
||||
Check that the limit is sufficiently small, or use a different input
|
||||
function. </i>
|
||||
it's unclear if the %s limit in the format string is small enough
|
||||
(CWE-120). Check that the limit is sufficiently small, or use a different
|
||||
input function. </i>
|
||||
<pre>
|
||||
scanf("%10s", s);
|
||||
</pre>
|
||||
<li>test.c:53: <b> [1] </b> (buffer) <i> strncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers. </i>
|
||||
invalid pointers (CWE-120). </i>
|
||||
<pre>
|
||||
strncpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:54: <b> [1] </b> (buffer) <i> _tcsncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers. </i>
|
||||
invalid pointers (CWE-120). </i>
|
||||
<pre>
|
||||
_tcsncpy(d,s);
|
||||
</pre>
|
||||
<li>test.c:55: <b> [1] </b> (buffer) <i> strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings. </i>
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. </i>
|
||||
<pre>
|
||||
strncat(d,s,10);
|
||||
</pre>
|
||||
<li>test.c:58: <b> [1] </b> (buffer) <i> strlen:
|
||||
Does not handle strings that are not \0-terminated (it could cause a
|
||||
crash if unprotected). </i>
|
||||
crash if unprotected) (CWE-119). </i>
|
||||
<pre>
|
||||
n = strlen(d);
|
||||
</pre>
|
||||
<li>test.c:64: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));
|
||||
</pre>
|
||||
<li>test.c:66: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes. </i>
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes. </i>
|
||||
<pre>
|
||||
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName /sizeof(wszUserName[0]));
|
||||
</pre>
|
||||
|
|
|
|||
152
test-results.txt
152
test-results.txt
|
|
@ -3,129 +3,137 @@ Number of dangerous functions in C/C++ ruleset: 160
|
|||
Examining test.c
|
||||
Examining test2.c
|
||||
test.c:32: [5] (buffer) gets:
|
||||
Does not check for buffer overflows. Use fgets() instead.
|
||||
Does not check for buffer overflows (CWE-120). Use fgets() instead.
|
||||
test.c:56: [5] (buffer) strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left.
|
||||
test.c:57: [5] (buffer) _tcsncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
Risk is high; the length parameter appears to be a constant, instead of
|
||||
computing the number of characters left.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings. Risk is high; the length parameter appears to be a
|
||||
constant, instead of computing the number of characters left.
|
||||
test.c:60: [5] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters.
|
||||
test.c:62: [5] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is high, it
|
||||
appears that the size is given as bytes, but the function requires size as
|
||||
characters.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
high, it appears that the size is given as bytes, but the function
|
||||
requires size as characters.
|
||||
test.c:73: [5] (misc) SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access.
|
||||
Access), which would even forbid administrator access (CWE-732).
|
||||
test.c:73: [5] (misc) SetSecurityDescriptorDacl:
|
||||
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
||||
Access), which would even forbid administrator access.
|
||||
Access), which would even forbid administrator access (CWE-732).
|
||||
test.c:17: [4] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused).
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused).
|
||||
test.c:20: [4] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf.
|
||||
test.c:21: [4] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf.
|
||||
test.c:22: [4] (format) sprintf:
|
||||
Potential format string problem. Make format string constant.
|
||||
Potential format string problem (CWE-134). Make format string
|
||||
constant.
|
||||
test.c:23: [4] (format) printf:
|
||||
If format strings can be influenced by an attacker, they can be
|
||||
exploited. Use a constant for the format specification.
|
||||
exploited (CWE-134). Use a constant for the format specification.
|
||||
test.c:25: [4] (buffer) scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function.
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function.
|
||||
test.c:27: [4] (buffer) scanf:
|
||||
The scanf() family's %s operation, without a limit specification,
|
||||
permits buffer overflows. Specify a limit to %s, or use a different input
|
||||
function.
|
||||
permits buffer overflows (CWE-120). Specify a limit to %s, or use a
|
||||
different input function.
|
||||
test.c:38: [4] (format) syslog:
|
||||
If syslog's format strings can be influenced by an attacker, they can
|
||||
be exploited. Use a constant format string for syslog.
|
||||
be exploited (CWE-134). Use a constant format string for syslog.
|
||||
test.c:49: [4] (buffer) _mbscpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using a function version that stops copying at the end of the
|
||||
buffer.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using a function version that stops copying at the end of
|
||||
the buffer.
|
||||
test.c:52: [4] (buffer) lstrcat:
|
||||
Does not check for buffer overflows when concatenating to destination.
|
||||
Does not check for buffer overflows when concatenating to destination
|
||||
(CWE-120).
|
||||
test.c:75: [3] (shell) CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run.
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run.
|
||||
test.c:75: [3] (shell) CreateProcess:
|
||||
This causes a new process to execute and is difficult to use safely.
|
||||
Specify the application path in the first argument, NOT as part of the
|
||||
second, or embedded spaces could allow an attacker to force a different
|
||||
program to run.
|
||||
This causes a new process to execute and is difficult to use safely
|
||||
(CWE-78). Specify the application path in the first argument, NOT as part
|
||||
of the second, or embedded spaces could allow an attacker to force a
|
||||
different program to run.
|
||||
test.c:91: [3] (buffer) getopt_long:
|
||||
Some older implementations do not protect against internal buffer
|
||||
overflows . Check implementation on installation, or limit the size of all
|
||||
string inputs.
|
||||
overflows (CWE-120). Check implementation on installation, or limit the
|
||||
size of all string inputs.
|
||||
test.c:16: [2] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant string.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant string.
|
||||
test.c:19: [2] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source has a constant maximum length.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source has a constant maximum
|
||||
length.
|
||||
test.c:45: [2] (buffer) char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length.
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119).
|
||||
test.c:46: [2] (buffer) char:
|
||||
Statically-sized arrays can be overflowed. Perform bounds checking,
|
||||
use functions that limit length, or ensure that the size is larger than
|
||||
the maximum possible length.
|
||||
Statically-sized arrays can be overflowed (CWE-120). Perform bounds
|
||||
checking, use functions that limit length, or ensure that the size is
|
||||
larger than the maximum possible length (CWE-119).
|
||||
test.c:50: [2] (buffer) memcpy:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data.
|
||||
test.c:51: [2] (buffer) CopyMemory:
|
||||
Does not check for buffer overflows when copying to destination. Make
|
||||
sure destination can always hold the source data.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Make sure destination can always hold the source data.
|
||||
test.c:97: [2] (misc) fopen:
|
||||
Check when opening files - can an attacker redirect it (via symlinks),
|
||||
force the opening of special file type (e.g., device files), move
|
||||
things around to create a race condition, control its ancestors, or change
|
||||
its contents?.
|
||||
its contents? (CWE-362).
|
||||
test.c:15: [1] (buffer) strcpy:
|
||||
Does not check for buffer overflows when copying to destination.
|
||||
Consider using strncpy or strlcpy (warning, strncpy is easily misused). Risk
|
||||
is low because the source is a constant character.
|
||||
Does not check for buffer overflows when copying to destination
|
||||
(CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is
|
||||
easily misused). Risk is low because the source is a constant
|
||||
character.
|
||||
test.c:18: [1] (buffer) sprintf:
|
||||
Does not check for buffer overflows. Use snprintf or vsnprintf. Risk
|
||||
is low because the source is a constant character.
|
||||
Does not check for buffer overflows (CWE-120). Use sprintf_s,
|
||||
snprintf, or vsnprintf. Risk is low because the source is a constant character.
|
||||
test.c:26: [1] (buffer) scanf:
|
||||
it's unclear if the %s limit in the format string is small enough.
|
||||
Check that the limit is sufficiently small, or use a different input
|
||||
function.
|
||||
it's unclear if the %s limit in the format string is small enough
|
||||
(CWE-120). Check that the limit is sufficiently small, or use a different
|
||||
input function.
|
||||
test.c:53: [1] (buffer) strncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers.
|
||||
invalid pointers (CWE-120).
|
||||
test.c:54: [1] (buffer) _tcsncpy:
|
||||
Easily used incorrectly; doesn't always \0-terminate or check for
|
||||
invalid pointers.
|
||||
invalid pointers (CWE-120).
|
||||
test.c:55: [1] (buffer) strncat:
|
||||
Easily used incorrectly (e.g., incorrectly computing the correct
|
||||
maximum size to add). Consider strlcat or automatically resizing strings.
|
||||
maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
|
||||
resizing strings.
|
||||
test.c:58: [1] (buffer) strlen:
|
||||
Does not handle strings that are not \0-terminated (it could cause a
|
||||
crash if unprotected).
|
||||
crash if unprotected) (CWE-119).
|
||||
test.c:64: [1] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes.
|
||||
test.c:66: [1] (buffer) MultiByteToWideChar:
|
||||
Requires maximum length in CHARACTERS, not bytes. Risk is very low,
|
||||
the length appears to be in characters not bytes.
|
||||
Requires maximum length in CHARACTERS, not bytes (CWE-120). Risk is
|
||||
very low, the length appears to be in characters not bytes.
|
||||
|
||||
Hits = 36
|
||||
Lines analyzed = 118
|
||||
|
|
|
|||
Loading…
Reference in New Issue