diff --git a/correct-results.html b/correct-results.html index b45ac94..1f9bfb3 100644 --- a/correct-results.html +++ b/correct-results.html @@ -9,9 +9,9 @@
Examining test.c
Examining test2.c
@@ -77,8 +77,8 @@ Examining test2.c
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
@@ -139,8 +139,8 @@ Examining test2.c
syslog(LOG_ERR, attacker_string);
@@ -179,8 +179,8 @@ Examining test2.c
while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
@@ -196,7 +196,7 @@ Examining test2.c
@@ -260,14 +260,14 @@ Examining test2.c
strncpy(d,s);
_tcsncpy(d,s); diff --git a/correct-results.txt b/correct-results.txt index d2f5981..40d3574 100644 --- a/correct-results.txt +++ b/correct-results.txt @@ -1,5 +1,5 @@ -Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler. -Number of rules (primarily dangerous function names) in C/C++ ruleset: 169 +Flawfinder version 1.32, (C) 2001-2014 David A. Wheeler. +Number of rules (primarily dangerous function names) in C/C++ ruleset: 188 Examining test.c Examining test2.c @@ -32,9 +32,9 @@ test.c:73: [5] (misc) SetSecurityDescriptorDacl: Never create NULL ACLs; an attacker can set it to Everyone (Deny All Access), which would even forbid administrator access (CWE-732). test.c:17: [4] (buffer) strcpy: - Does not check for buffer overflows when copying to destination (CWE-120). - Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily - misused). + Does not check for buffer overflows when copying to destination [MS-banned] + (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy + is easily misused). test.c:20: [4] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. @@ -58,9 +58,9 @@ test.c:38: [4] (format) syslog: If syslog's format strings can be influenced by an attacker, they can be exploited (CWE-134). Use a constant format string for syslog. test.c:49: [4] (buffer) _mbscpy: - Does not check for buffer overflows when copying to destination (CWE-120). - Consider using a function version that stops copying at the end of the - buffer. + Does not check for buffer overflows when copying to destination [MS-banned] + (CWE-120). Consider using a function version that stops copying at the end + of the buffer. test.c:52: [4] (buffer) lstrcat: Does not check for buffer overflows when concatenating to destination (CWE-120). @@ -79,20 +79,20 @@ test.c:91: [3] (buffer) getopt_long: (CWE-120, CWE-20). Check implementation on installation, or limit the size of all string inputs. test.c:16: [2] (buffer) strcpy: - Does not check for buffer overflows when copying to destination (CWE-120). - Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily - misused). Risk is low because the source is a constant string. + Does not check for buffer overflows when copying to destination [MS-banned] + (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy + is easily misused). Risk is low because the source is a constant string. test.c:19: [2] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a constant maximum length. test.c:45: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential - overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. test.c:46: [2] (buffer) char: Statically-sized arrays can be improperly restricted, leading to potential - overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use + overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. test.c:50: [2] (buffer) memcpy: @@ -107,9 +107,9 @@ test.c:97: [2] (misc) fopen: around to create a race condition, control its ancestors, or change its contents? (CWE-362). test.c:15: [1] (buffer) strcpy: - Does not check for buffer overflows when copying to destination (CWE-120). - Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily - misused). Risk is low because the source is a constant character. + Does not check for buffer overflows when copying to destination [MS-banned] + (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy + is easily misused). Risk is low because the source is a constant character. test.c:18: [1] (buffer) sprintf: Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a constant character. @@ -119,10 +119,10 @@ test.c:26: [1] (buffer) scanf: input function. test.c:53: [1] (buffer) strncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid - pointers (CWE-120). + pointers [MS-banned] (CWE-120). test.c:54: [1] (buffer) _tcsncpy: Easily used incorrectly; doesn't always \0-terminate or check for invalid - pointers (CWE-120). + pointers [MS-banned] (CWE-120). test.c:55: [1] (buffer) strncat: Easily used incorrectly (e.g., incorrectly computing the correct maximum size to add) (CWE-120). Consider strcat_s, strlcat, or automatically diff --git a/flawfinder b/flawfinder index ad7d034..2a43e92 100755 --- a/flawfinder +++ b/flawfinder @@ -733,15 +733,26 @@ def normal(hit): # See the definition for class "Hit". # The key can have multiple values separated with "|". +# For more information on Microsoft banned functions, see: +# http://msdn.microsoft.com/en-us/library/bb288454.aspx + c_ruleset = { "strcpy" : (c_buffer, 4, - "Does not check for buffer overflows when copying to destination (CWE-120)", + "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)", + "Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily misused)", + "buffer", "", {}), + "strcpyA|strcpyW|StrCpy|StrCpyA|lstrcpyA|lstrcpyW|_tccpy|_mbccpy|_ftcscpy|_mbsncpy|StrCpyN|StrCpyNA|StrCpyNW|StrNCpy|strcpynA|StrNCpyA|StrNCpyW|lstrcpynA|lstrcpynW" : + # We need more info on these functions; I got their names from the + # Microsoft "banned" list. For now, just use "normal" to process them + # instead of "c_buffer". + (normal, 4, + "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)", "Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily misused)", "buffer", "", {}), "lstrcpy|wcscpy|_tcscpy|_mbscpy" : (c_buffer, 4, - "Does not check for buffer overflows when copying to destination (CWE-120)", + "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)", "Consider using a function version that stops copying at the end of the buffer", "buffer", "", {}), "memcpy|CopyMemory|bcopy" : @@ -764,7 +775,7 @@ c_ruleset = { 1, # Low risk level, because this is often used correctly when FIXING security # problems, and raising it to a higher risk level would cause many false positives. "Easily used incorrectly; doesn't always \\0-terminate or " + - "check for invalid pointers (CWE-120)", + "check for invalid pointers [MS-banned] (CWE-120)", "", "buffer", "", {}), "lstrcpyn|wcsncpy|_tcsncpy|_mbsnbcpy" : @@ -772,7 +783,7 @@ c_ruleset = { 1, # Low risk level, because this is often used correctly when FIXING security # problems, and raising it to a higher risk levle would cause many false positives. "Easily used incorrectly; doesn't always \\0-terminate or " + - "check for invalid pointers (CWE-120)", + "check for invalid pointers [MS-banned] (CWE-120)", "", "buffer", "", {}), "strncat" : diff --git a/flawfinder.1 b/flawfinder.1 index 5881751..10672e1 100644 --- a/flawfinder.1 +++ b/flawfinder.1 @@ -100,6 +100,10 @@ Hit descriptions also note the relevant Common Weakness Enumeration (CWE) identifier(s) in parentheses, as discussed below. Flawfinder is officially CWE-Compatible. +Hit descriptions with "[MS-banned]" indicate functions that are in the +banned list of functions released by Microsoft; see +http://msdn.microsoft.com/en-us/library/bb288454.aspx +for more information about banned functions. .PP Not every hit is actually a security vulnerability, and not every security vulnerability is necessarily found.