Examining test.c
Examining test2.c
@@ -77,8 +77,8 @@ Examining test2.c
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
@@ -139,8 +139,8 @@ Examining test2.c
syslog(LOG_ERR, attacker_string);
@@ -179,8 +179,8 @@ Examining test2.c
while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
@@ -196,7 +196,7 @@ Examining test2.c
@@ -260,14 +260,14 @@ Examining test2.c
strncpy(d,s);
_tcsncpy(d,s);
diff --git a/correct-results.txt b/correct-results.txt
index d2f5981..40d3574 100644
--- a/correct-results.txt
+++ b/correct-results.txt
@@ -1,5 +1,5 @@
-Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
-Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
+Flawfinder version 1.32, (C) 2001-2014 David A. Wheeler.
+Number of rules (primarily dangerous function names) in C/C++ ruleset: 188
Examining test.c
Examining test2.c
@@ -32,9 +32,9 @@ test.c:73: [5] (misc) SetSecurityDescriptorDacl:
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
Access), which would even forbid administrator access (CWE-732).
test.c:17: [4] (buffer) strcpy:
- Does not check for buffer overflows when copying to destination (CWE-120).
- Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
- misused).
+ Does not check for buffer overflows when copying to destination [MS-banned]
+ (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy
+ is easily misused).
test.c:20: [4] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf.
@@ -58,9 +58,9 @@ test.c:38: [4] (format) syslog:
If syslog's format strings can be influenced by an attacker, they can be
exploited (CWE-134). Use a constant format string for syslog.
test.c:49: [4] (buffer) _mbscpy:
- Does not check for buffer overflows when copying to destination (CWE-120).
- Consider using a function version that stops copying at the end of the
- buffer.
+ Does not check for buffer overflows when copying to destination [MS-banned]
+ (CWE-120). Consider using a function version that stops copying at the end
+ of the buffer.
test.c:52: [4] (buffer) lstrcat:
Does not check for buffer overflows when concatenating to destination
(CWE-120).
@@ -79,20 +79,20 @@ test.c:91: [3] (buffer) getopt_long:
(CWE-120, CWE-20). Check implementation on installation, or limit the size
of all string inputs.
test.c:16: [2] (buffer) strcpy:
- Does not check for buffer overflows when copying to destination (CWE-120).
- Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
- misused). Risk is low because the source is a constant string.
+ Does not check for buffer overflows when copying to destination [MS-banned]
+ (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy
+ is easily misused). Risk is low because the source is a constant string.
test.c:19: [2] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source has a constant maximum length.
test.c:45: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
- overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
+ overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
test.c:46: [2] (buffer) char:
Statically-sized arrays can be improperly restricted, leading to potential
- overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
+ overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
functions that limit length, or ensure that the size is larger than the
maximum possible length.
test.c:50: [2] (buffer) memcpy:
@@ -107,9 +107,9 @@ test.c:97: [2] (misc) fopen:
around to create a race condition, control its ancestors, or change its
contents? (CWE-362).
test.c:15: [1] (buffer) strcpy:
- Does not check for buffer overflows when copying to destination (CWE-120).
- Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily
- misused). Risk is low because the source is a constant character.
+ Does not check for buffer overflows when copying to destination [MS-banned]
+ (CWE-120). Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy
+ is easily misused). Risk is low because the source is a constant character.
test.c:18: [1] (buffer) sprintf:
Does not check for buffer overflows (CWE-120). Use sprintf_s, snprintf, or
vsnprintf. Risk is low because the source is a constant character.
@@ -119,10 +119,10 @@ test.c:26: [1] (buffer) scanf:
input function.
test.c:53: [1] (buffer) strncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
- pointers (CWE-120).
+ pointers [MS-banned] (CWE-120).
test.c:54: [1] (buffer) _tcsncpy:
Easily used incorrectly; doesn't always \0-terminate or check for invalid
- pointers (CWE-120).
+ pointers [MS-banned] (CWE-120).
test.c:55: [1] (buffer) strncat:
Easily used incorrectly (e.g., incorrectly computing the correct maximum
size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
diff --git a/flawfinder b/flawfinder
index ad7d034..2a43e92 100755
--- a/flawfinder
+++ b/flawfinder
@@ -733,15 +733,26 @@ def normal(hit):
# See the definition for class "Hit".
# The key can have multiple values separated with "|".
+# For more information on Microsoft banned functions, see:
+# http://msdn.microsoft.com/en-us/library/bb288454.aspx
+
c_ruleset = {
"strcpy" :
(c_buffer, 4,
- "Does not check for buffer overflows when copying to destination (CWE-120)",
+ "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
+ "Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily misused)",
+ "buffer", "", {}),
+ "strcpyA|strcpyW|StrCpy|StrCpyA|lstrcpyA|lstrcpyW|_tccpy|_mbccpy|_ftcscpy|_mbsncpy|StrCpyN|StrCpyNA|StrCpyNW|StrNCpy|strcpynA|StrNCpyA|StrNCpyW|lstrcpynA|lstrcpynW" :
+ # We need more info on these functions; I got their names from the
+ # Microsoft "banned" list. For now, just use "normal" to process them
+ # instead of "c_buffer".
+ (normal, 4,
+ "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
"Consider using strcpy_s, strncpy, or strlcpy (warning, strncpy is easily misused)",
"buffer", "", {}),
"lstrcpy|wcscpy|_tcscpy|_mbscpy" :
(c_buffer, 4,
- "Does not check for buffer overflows when copying to destination (CWE-120)",
+ "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
"Consider using a function version that stops copying at the end of the buffer",
"buffer", "", {}),
"memcpy|CopyMemory|bcopy" :
@@ -764,7 +775,7 @@ c_ruleset = {
1, # Low risk level, because this is often used correctly when FIXING security
# problems, and raising it to a higher risk level would cause many false positives.
"Easily used incorrectly; doesn't always \\0-terminate or " +
- "check for invalid pointers (CWE-120)",
+ "check for invalid pointers [MS-banned] (CWE-120)",
"",
"buffer", "", {}),
"lstrcpyn|wcsncpy|_tcsncpy|_mbsnbcpy" :
@@ -772,7 +783,7 @@ c_ruleset = {
1, # Low risk level, because this is often used correctly when FIXING security
# problems, and raising it to a higher risk levle would cause many false positives.
"Easily used incorrectly; doesn't always \\0-terminate or " +
- "check for invalid pointers (CWE-120)",
+ "check for invalid pointers [MS-banned] (CWE-120)",
"",
"buffer", "", {}),
"strncat" :
diff --git a/flawfinder.1 b/flawfinder.1
index 5881751..10672e1 100644
--- a/flawfinder.1
+++ b/flawfinder.1
@@ -100,6 +100,10 @@ Hit descriptions also note the relevant
Common Weakness Enumeration (CWE) identifier(s) in parentheses,
as discussed below.
Flawfinder is officially CWE-Compatible.
+Hit descriptions with "[MS-banned]" indicate functions that are in the
+banned list of functions released by Microsoft; see
+http://msdn.microsoft.com/en-us/library/bb288454.aspx
+for more information about banned functions.
.PP
Not every hit is actually a security vulnerability,
and not every security vulnerability is necessarily found.