1Version 1.3
2
3  'pscan' is a program which attempts to scan C source files for
4common function abuses, which often lead to buffer overflows.  See the
5included file 'test.c' for examples of good, and bad programming
6practice.  For the latest version, see:
7
8	http://deployingradius.com/pscan/
9
10
11  The scan works by looking for a one of a list of problem functions,
12and applying the following rule:
13
14  IF the last parameter of the function is the format string,
15  AND the format string is NOT a static string,
16  THEN complain.
17
18  See 'test.c' for examples.
19
20  Once pscan has found the problems, it's up to you to examine the
21source code, and correct the (possible) security breach.
22
23  You can build pscan by typing:
24
25	make
26
27  If you don't have lex or yacc installed, it probably won't work.
28You'll have to figure out how to build it yourself, as I'm too lazy to
29write an autoconf for a ~100 line C program.
30
31
32  Once pscan is built, you can test it by typing:
33
34	./pscan test.c
35
36  You should see it complain about a number of errors, giving the
37source file, line number, and problematic function name.
38
39  If there are any errors found, pscan exits with status 1.  Typing:
40
41	echo $?
42
43should get you a '1'.
44
45  Now try:
46
47	./pscan ./pscan.c
48
49  You shouldn't see any errors, and the exit code will be 0 (zero).
50
51  You can scan multiple C source files with one run of pscan, by
52specifying multiple filenames on the command line:
53
54	./pscan ./*.c
55
56  If ANY problems are found, they are printed out, and pscan exits
57with status 1.
58
59  If you don't trust it, pscan has a verbose option: -v.
60
61	./pscan -vv ./test.c
62
63  The output should make itself clear.
64
65  You can supply additional definitions of problem functions through
66the '-p' command line option.  See wu-ftpd.pscan for details.
67
68  As of version 1.2, pscan now also prints out warnings when
69non-constant strings are used as format parameters.  This behaviour
70can be enabled by using the '-w' command line parameter.
71
72
73  In addition to the problem C library functions, many programs
74define their own functions with similar security problems.  The
75included shell script:
76
77	find_formats.sh
78
79tries to discover C function prototypes for the problem functions.
80It won't find them all, but it will find many of the most common ones.
81
82  Alan DeKok <aland@deployingradius.com>
83  January 4, 2007.
84
85----------------------------------------------------------------------
86Copyright (C) 2000,2007 Alan DeKok <aland@deployingradius.com>
87
88This program is free software; you can redistribute it and/or modify
89it under the terms of the GNU General Public License as published by
90the Free Software Foundation; either version 2 of the License, or (at
91your option) any later version.
92
93This program is distributed in the hope that it will be useful, but
94WITHOUT ANY WARRANTY; without even the implied warranty of
95MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
96General Public License for more details.
97
98You should have received a copy of the GNU General Public License
99along with this program; if not, write to the Free Software
100Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
101USA
102
103----------------------------------------------------------------------
104