1 /********************************************************************** 2 * pscan: http://deployingradius.com/pscan/ 3 * 4 * Copyright (C) 2000,2007 Alan DeKok <aland@deployingradius.com> 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation; either version 2 of the License, or 9 * (at your option) any later version. 10 * 11 * This program is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 * GNU General Public License for more details. 15 * 16 * You should have received a copy of the GNU General Public License 17 * along with this program; if not, write to the Free Software 18 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA 19 * 20 **********************************************************************/ 21 #error Do not compile this file! 22 23 /* 24 * This file consists of a number of sample snippets of C code. 25 * Run it through the scanner by doing: 26 * 27 * ./pscan ./test.c 28 * 29 * You should see a number of problems reported. 30 */ 31 32 33 /* 34 * This may be a problem. 35 */ 36 fprintf(stderr, variable); /* problematic */ 37 38 /* 39 * This MIGHT be a problem, depending on where the 'format' 40 * string comes from, and what it's value is. 41 */ 42 fprintf(stderr, format, variable1, variable2); 43 44 /* 45 * This is safer. 46 */ 47 fprintf(stderr, "%s", variable); /* OK */ 48 49 /* 50 * Constant strings can't be modified externally, so they're OK. 51 */ 52 sprintf(buffer, "string"); /* OK */ 53 54 /* 55 * If you're a dumb enough programmer to put something like this 56 * in the source, you get what you deserve. But it isn't an 57 * externally exploitable security hole. 58 */ 59 sprintf(buffer, "%s"); /* OK */ 60 61 /* 62 * The variable may contain formatting commands! 63 */ 64 sprintf(buffer, variable); /* problematic */ 65 66 /* 67 * This is the safe way of doing it. 68 */ 69 sprintf(buffer, "%s", variable); /* OK */ 70 71 /* 72 * The first sprintf is OK, but the second one has a problem. 73 * This is a check for nested security problems. 74 */ 75 sprintf(buffer, "%d", sprintf(buffer1, variable)); /* problematic! */ 76 77 /* 78 * strerror(errno) isn't a problem function, and snprintf has lots 79 * of arguments after the format string, so this is OK. 80 */ 81 snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n", filename, strerror(errno)); /* OK */ 82 83 /* 84 * Multi-line sequences get checked, too. This one should be OK. 85 */ 86 snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n", 87 filename, 88 strerror(errno)); /* also OK */ 89 90 /* 91 * This multi-line sequence shouldn't be OK. 92 */ 93 sprintf(buffer, 94 variable); /* problematic */ 95 96 /* 97 * Lots of arguments after the format string. It's up to your C 98 * compiler to see if you're using the right number of arguments for 99 * the format string. 100 */ 101 sprintf(buffer, "%s %s %s", one, two, three); /* OK */ 102 103 /* 104 * Nested braces should be OK. 105 */ 106 printf((variable ? "%4" : "%3s"), string); /* OK */ 107 108 /* 109 * User-supplied format strings are OK, I guess... 110 */ 111 printf((variable ? fmt1 : fmt2), string3); /* OK */ 112 113 /* 114 * There's still only one argument for printf, that's a problem. 115 */ 116 printf((variable ? string1 : string2)); /* problematic */ 117 118 // sprintf(buffer, variable); C++ comments get ignored, for good or for bad. 119 120 /* sprintf(buffer, variable); these comments get ignored, too */ 121 122 /* 123 * This next bit of code is from the wu-ftp source. It's OK, but it 124 * gets flagged because the parser isn't smart enough to check for 125 * previous, safe, uses of strings. 126 */ 127 sprintf(s, "PASV port %i assigned to %s", i, remoteident); 128 syslog(LOG_DEBUG, s); 129 130 /* 131 * The following are references to the functions, but not actual 132 * function calls, so they're OK. 133 */ 134 void *foo[] = {snprintf, fprintf}; /* OK */ 135 136 /* 137 * Your program may define a problem function in one file, 138 * and use a variable of the same name in another file. We don't 139 * want to complain about uses of those variables. 140 * 141 * I know this won't work in a real C program, but it's a way of faking 142 * such a variable reference, to ensure that pscan ignores it. 143 */ 144 fprintf[1] = 1; /* OK */ 145 146 /* 147 * NetBSD allows err(1,NULL). We should, too. 148 */ 149 err(1, NULL); 150