359 lines
15 KiB
HTML
359 lines
15 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-type" content="text/html; charset=utf8">
|
|
<title>Flawfinder Results</title>
|
|
<meta name="author" content="David A. Wheeler">
|
|
<meta name="keywords" lang="en" content="flawfinder results, security scan">
|
|
</head>
|
|
<body>
|
|
<h1>Flawfinder Results</h1>
|
|
Here are the security scan results from
|
|
<a href="https://dwheeler.com/flawfinder">Flawfinder version 2.0.19</a>,
|
|
(C) 2001-2019 <a href="https://dwheeler.com">David A. Wheeler</a>.
|
|
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
|
|
<p>
|
|
Examining test.c <br>
|
|
Examining test2.c <br>
|
|
|
|
<h2>Final Results</h2>
|
|
<ul>
|
|
<li>test.c:32: <b> [5] </b> (buffer) <i> gets:
|
|
Does not check for buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>, <a
|
|
href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a>). Use
|
|
fgets() instead. </i>
|
|
<pre>
|
|
gets(f);
|
|
</pre>
|
|
<li>test.c:60: <b> [5] </b> (buffer) <i> strncat:
|
|
Easily used incorrectly (e.g., incorrectly computing the correct maximum
|
|
size to add) [MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider strcat_s, strlcat, snprintf, or automatically resizing strings.
|
|
Risk is high; the length parameter appears to be a constant, instead of
|
|
computing the number of characters left. </i>
|
|
<pre>
|
|
strncat(d,s,sizeof(d)); /* Misuse - this should be flagged as riskier. */
|
|
</pre>
|
|
<li>test.c:61: <b> [5] </b> (buffer) <i> _tcsncat:
|
|
Easily used incorrectly (e.g., incorrectly computing the correct maximum
|
|
size to add) [MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider strcat_s, strlcat, or automatically resizing strings. Risk is
|
|
high; the length parameter appears to be a constant, instead of computing
|
|
the number of characters left. </i>
|
|
<pre>
|
|
_tcsncat(d,s,sizeof(d)); /* Misuse - flag as riskier */
|
|
</pre>
|
|
<li>test.c:64: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
|
Requires maximum length in CHARACTERS, not bytes (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Risk
|
|
is high, it appears that the size is given as bytes, but the function
|
|
requires size as characters. </i>
|
|
<pre>
|
|
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName));
|
|
</pre>
|
|
<li>test.c:66: <b> [5] </b> (buffer) <i> MultiByteToWideChar:
|
|
Requires maximum length in CHARACTERS, not bytes (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Risk
|
|
is high, it appears that the size is given as bytes, but the function
|
|
requires size as characters. </i>
|
|
<pre>
|
|
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName);
|
|
</pre>
|
|
<li>test.c:77: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
|
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
|
Access), which would even forbid administrator access (<a
|
|
href="https://cwe.mitre.org/data/definitions/732.html">CWE-732</a>). </i>
|
|
<pre>
|
|
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
|
</pre>
|
|
<li>test.c:77: <b> [5] </b> (misc) <i> SetSecurityDescriptorDacl:
|
|
Never create NULL ACLs; an attacker can set it to Everyone (Deny All
|
|
Access), which would even forbid administrator access (<a
|
|
href="https://cwe.mitre.org/data/definitions/732.html">CWE-732</a>). </i>
|
|
<pre>
|
|
SetSecurityDescriptorDacl(&sd,TRUE,NULL,FALSE);
|
|
</pre>
|
|
<li>test.c:17: <b> [4] </b> (buffer) <i> strcpy:
|
|
Does not check for buffer overflows when copying to destination [MS-banned]
|
|
(<a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily
|
|
misused). </i>
|
|
<pre>
|
|
strcpy(b, a);
|
|
</pre>
|
|
<li>test.c:20: <b> [4] </b> (buffer) <i> sprintf:
|
|
Does not check for buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Use
|
|
sprintf_s, snprintf, or vsnprintf. </i>
|
|
<pre>
|
|
sprintf(s, "hello %s", bug);
|
|
</pre>
|
|
<li>test.c:21: <b> [4] </b> (buffer) <i> sprintf:
|
|
Does not check for buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Use
|
|
sprintf_s, snprintf, or vsnprintf. </i>
|
|
<pre>
|
|
sprintf(s, gettext("hello %s"), bug);
|
|
</pre>
|
|
<li>test.c:22: <b> [4] </b> (format) <i> sprintf:
|
|
Potential format string problem (<a
|
|
href="https://cwe.mitre.org/data/definitions/134.html">CWE-134</a>). Make
|
|
format string constant. </i>
|
|
<pre>
|
|
sprintf(s, unknown, bug);
|
|
</pre>
|
|
<li>test.c:23: <b> [4] </b> (format) <i> printf:
|
|
If format strings can be influenced by an attacker, they can be exploited
|
|
(<a href="https://cwe.mitre.org/data/definitions/134.html">CWE-134</a>).
|
|
Use a constant for the format specification. </i>
|
|
<pre>
|
|
printf(bf, x);
|
|
</pre>
|
|
<li>test.c:25: <b> [4] </b> (buffer) <i> scanf:
|
|
The scanf() family's %s operation, without a limit specification, permits
|
|
buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>, <a
|
|
href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a>). Specify
|
|
a limit to %s, or use a different input function. </i>
|
|
<pre>
|
|
scanf("%s", s);
|
|
</pre>
|
|
<li>test.c:27: <b> [4] </b> (buffer) <i> scanf:
|
|
The scanf() family's %s operation, without a limit specification, permits
|
|
buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>, <a
|
|
href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a>). Specify
|
|
a limit to %s, or use a different input function. </i>
|
|
<pre>
|
|
scanf("%s", s);
|
|
</pre>
|
|
<li>test.c:38: <b> [4] </b> (format) <i> syslog:
|
|
If syslog's format strings can be influenced by an attacker, they can be
|
|
exploited (<a
|
|
href="https://cwe.mitre.org/data/definitions/134.html">CWE-134</a>). Use a
|
|
constant format string for syslog. </i>
|
|
<pre>
|
|
syslog(LOG_ERR, attacker_string);
|
|
</pre>
|
|
<li>test.c:49: <b> [4] </b> (buffer) <i> _mbscpy:
|
|
Does not check for buffer overflows when copying to destination [MS-banned]
|
|
(<a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider using a function version that stops copying at the end of the
|
|
buffer. </i>
|
|
<pre>
|
|
_mbscpy(d,s); /* like strcpy, this doesn't check for buffer overflow */
|
|
</pre>
|
|
<li>test.c:56: <b> [4] </b> (buffer) <i> lstrcat:
|
|
Does not check for buffer overflows when concatenating to destination
|
|
[MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). </i>
|
|
<pre>
|
|
lstrcat(d,s);
|
|
</pre>
|
|
<li>test.c:79: <b> [3] </b> (shell) <i> CreateProcess:
|
|
This causes a new process to execute and is difficult to use safely (<a
|
|
href="https://cwe.mitre.org/data/definitions/78.html">CWE-78</a>). Specify
|
|
the application path in the first argument, NOT as part of the second, or
|
|
embedded spaces could allow an attacker to force a different program to
|
|
run. </i>
|
|
<pre>
|
|
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
|
</pre>
|
|
<li>test.c:79: <b> [3] </b> (shell) <i> CreateProcess:
|
|
This causes a new process to execute and is difficult to use safely (<a
|
|
href="https://cwe.mitre.org/data/definitions/78.html">CWE-78</a>). Specify
|
|
the application path in the first argument, NOT as part of the second, or
|
|
embedded spaces could allow an attacker to force a different program to
|
|
run. </i>
|
|
<pre>
|
|
CreateProcess(NULL, "C:\\Program Files\\GoodGuy\\GoodGuy.exe -x", "");
|
|
</pre>
|
|
<li>test.c:81: <b> [3] </b> (misc) <i> LoadLibraryEx:
|
|
Ensure that the full path to the library is specified, or current directory
|
|
may be used (<a
|
|
href="https://cwe.mitre.org/data/definitions/829.html">CWE-829</a>, <a
|
|
href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a>). Use a
|
|
flag like LOAD_LIBRARY_SEARCH_SYSTEM32 or
|
|
LOAD_LIBRARY_SEARCH_APPLICATION_DIR to search only desired folders. </i>
|
|
<pre>
|
|
(void) LoadLibraryEx(L"user32.dll", nullptr, LOAD_LIBRARY_AS_DATAFILE);
|
|
</pre>
|
|
<li>test.c:99: <b> [3] </b> (buffer) <i> getopt_long:
|
|
Some older implementations do not protect against internal buffer overflows
|
|
(<a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>, <a
|
|
href="https://cwe.mitre.org/data/definitions/20.html">CWE-20</a>). Check
|
|
implementation on installation, or limit the size of all string inputs. </i>
|
|
<pre>
|
|
while ((optc = getopt_long (argc, argv, "a",longopts, NULL )) != EOF) {
|
|
</pre>
|
|
<li>test.c:16: <b> [2] </b> (buffer) <i> strcpy:
|
|
Does not check for buffer overflows when copying to destination [MS-banned]
|
|
(<a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily
|
|
misused). Risk is low because the source is a constant string. </i>
|
|
<pre>
|
|
strcpy(a, gettext("Hello there")); // Did this work?
|
|
</pre>
|
|
<li>test.c:19: <b> [2] </b> (buffer) <i> sprintf:
|
|
Does not check for buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Use
|
|
sprintf_s, snprintf, or vsnprintf. Risk is low because the source has a
|
|
constant maximum length. </i>
|
|
<pre>
|
|
sprintf(s, "hello");
|
|
</pre>
|
|
<li>test.c:45: <b> [2] </b> (buffer) <i> char:
|
|
Statically-sized arrays can be improperly restricted, leading to potential
|
|
overflows or other issues (<a
|
|
href="https://cwe.mitre.org/data/definitions/119.html">CWE-119</a>!/<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Perform bounds checking, use functions that limit length, or ensure that
|
|
the size is larger than the maximum possible length. </i>
|
|
<pre>
|
|
char d[20];
|
|
</pre>
|
|
<li>test.c:46: <b> [2] </b> (buffer) <i> char:
|
|
Statically-sized arrays can be improperly restricted, leading to potential
|
|
overflows or other issues (<a
|
|
href="https://cwe.mitre.org/data/definitions/119.html">CWE-119</a>!/<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Perform bounds checking, use functions that limit length, or ensure that
|
|
the size is larger than the maximum possible length. </i>
|
|
<pre>
|
|
char s[20];
|
|
</pre>
|
|
<li>test.c:50: <b> [2] </b> (buffer) <i> memcpy:
|
|
Does not check for buffer overflows when copying to destination (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Make
|
|
sure destination can always hold the source data. </i>
|
|
<pre>
|
|
memcpy(d,s); // fail - no size
|
|
</pre>
|
|
<li>test.c:53: <b> [2] </b> (buffer) <i> memcpy:
|
|
Does not check for buffer overflows when copying to destination (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Make
|
|
sure destination can always hold the source data. </i>
|
|
<pre>
|
|
memcpy(&n,s,sizeof(s)); // fail - sizeof not of destination
|
|
</pre>
|
|
<li>test.c:54: <b> [2] </b> (buffer) <i> memcpy:
|
|
Does not check for buffer overflows when copying to destination (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Make
|
|
sure destination can always hold the source data. </i>
|
|
<pre>
|
|
memcpy(d,s,n); // fail - size unguessable
|
|
</pre>
|
|
<li>test.c:55: <b> [2] </b> (buffer) <i> CopyMemory:
|
|
Does not check for buffer overflows when copying to destination (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Make
|
|
sure destination can always hold the source data. </i>
|
|
<pre>
|
|
CopyMemory(d,s);
|
|
</pre>
|
|
<li>test.c:105: <b> [2] </b> (misc) <i> fopen:
|
|
Check when opening files - can an attacker redirect it (via symlinks),
|
|
force the opening of special file type (e.g., device files), move things
|
|
around to create a race condition, control its ancestors, or change its
|
|
contents? (<a
|
|
href="https://cwe.mitre.org/data/definitions/362.html">CWE-362</a>). </i>
|
|
<pre>
|
|
f = fopen("/etc/passwd", "r");
|
|
</pre>
|
|
<li>test.c:15: <b> [1] </b> (buffer) <i> strcpy:
|
|
Does not check for buffer overflows when copying to destination [MS-banned]
|
|
(<a href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily
|
|
misused). Risk is low because the source is a constant character. </i>
|
|
<pre>
|
|
strcpy(a, "\n"); // Did this work?
|
|
</pre>
|
|
<li>test.c:18: <b> [1] </b> (buffer) <i> sprintf:
|
|
Does not check for buffer overflows (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Use
|
|
sprintf_s, snprintf, or vsnprintf. Risk is low because the source is a
|
|
constant character. </i>
|
|
<pre>
|
|
sprintf(s, "\n");
|
|
</pre>
|
|
<li>test.c:26: <b> [1] </b> (buffer) <i> scanf:
|
|
It's unclear if the %s limit in the format string is small enough (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Check
|
|
that the limit is sufficiently small, or use a different input function. </i>
|
|
<pre>
|
|
scanf("%10s", s);
|
|
</pre>
|
|
<li>test.c:57: <b> [1] </b> (buffer) <i> strncpy:
|
|
Easily used incorrectly; doesn't always \0-terminate or check for invalid
|
|
pointers [MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). </i>
|
|
<pre>
|
|
strncpy(d,s);
|
|
</pre>
|
|
<li>test.c:58: <b> [1] </b> (buffer) <i> _tcsncpy:
|
|
Easily used incorrectly; doesn't always \0-terminate or check for invalid
|
|
pointers [MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). </i>
|
|
<pre>
|
|
_tcsncpy(d,s);
|
|
</pre>
|
|
<li>test.c:59: <b> [1] </b> (buffer) <i> strncat:
|
|
Easily used incorrectly (e.g., incorrectly computing the correct maximum
|
|
size to add) [MS-banned] (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>).
|
|
Consider strcat_s, strlcat, snprintf, or automatically resizing strings. </i>
|
|
<pre>
|
|
strncat(d,s,10);
|
|
</pre>
|
|
<li>test.c:62: <b> [1] </b> (buffer) <i> strlen:
|
|
Does not handle strings that are not \0-terminated; if given one it may
|
|
perform an over-read (it could cause a crash if unprotected) (<a
|
|
href="https://cwe.mitre.org/data/definitions/126.html">CWE-126</a>). </i>
|
|
<pre>
|
|
n = strlen(d);
|
|
</pre>
|
|
<li>test.c:68: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
|
Requires maximum length in CHARACTERS, not bytes (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Risk
|
|
is very low, the length appears to be in characters not bytes. </i>
|
|
<pre>
|
|
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof(wszUserName)/sizeof(wszUserName[0]));
|
|
</pre>
|
|
<li>test.c:70: <b> [1] </b> (buffer) <i> MultiByteToWideChar:
|
|
Requires maximum length in CHARACTERS, not bytes (<a
|
|
href="https://cwe.mitre.org/data/definitions/120.html">CWE-120</a>). Risk
|
|
is very low, the length appears to be in characters not bytes. </i>
|
|
<pre>
|
|
MultiByteToWideChar(CP_ACP,0,szName,-1,wszUserName,sizeof wszUserName /sizeof(wszUserName[0]));
|
|
</pre>
|
|
</ul>
|
|
<h2>Analysis Summary</h2>
|
|
<p>
|
|
Hits = 39
|
|
<br>
|
|
Lines analyzed = 126
|
|
<br>
|
|
Physical Source Lines of Code (SLOC) = 86
|
|
<br>
|
|
Hits@level = [0] 16 [1] 9 [2] 9 [3] 4 [4] 10 [5] 7 <br>
|
|
Hits@level+ = [0+] 55 [1+] 39 [2+] 30 [3+] 21 [4+] 17 [5+] 7 <br>
|
|
Hits/KSLOC@level+ = [0+] 639.535 [1+] 453.488 [2+] 348.837 [3+] 244.186 [4+] 197.674 [5+] 81.3953 <br>
|
|
Suppressed hits = 2 (use --neverignore to show them)
|
|
<br>
|
|
Minimum risk level = 1
|
|
<br>
|
|
Not every hit is necessarily a security vulnerability.
|
|
You can inhibit a report by adding a comment in this form:
|
|
// flawfinder: ignore
|
|
Make *sure* it's a false positive!
|
|
You can use the option --neverignore to show these.
|
|
<br>
|
|
There may be other security vulnerabilities; review your code!
|
|
<br>
|
|
See '<a href="https://dwheeler.com/secure-programs">Secure Programming HOWTO</a>'
|
|
(<a href="https://dwheeler.com/secure-programs">https://dwheeler.com/secure-programs</a>) for more information.
|
|
</body>
|
|
</html>
|