1 /**********************************************************************
2  * pscan: http://deployingradius.com/pscan/
3  *
4  * Copyright (C) 2000,2007 Alan DeKok <aland@deployingradius.com>
5  *
6  * This program is free software; you can redistribute it and/or modify
7  * it under the terms of the GNU General Public License as published by
8  * the Free Software Foundation; either version 2 of the License, or
9  * (at your option) any later version.
10  *
11  * This program is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14  * GNU General Public License for more details.
15  *
16  * You should have received a copy of the GNU General Public License
17  * along with this program; if not, write to the Free Software
18  * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
19  *
20  **********************************************************************/
21 #error Do not compile this file!
22 
23 /*
24  *  This file consists of a number of sample snippets of C code.
25  *  Run it through the scanner by doing:
26  *
27  *    ./pscan ./test.c
28  *
29  *  You should see a number of problems reported.
30  */
31 
32 
33 /*
34  *  This may be a problem.
35  */
36 fprintf(stderr, variable);	/* problematic */
37 
38 /*
39  *  This MIGHT be a problem, depending on where the 'format'
40  *  string comes from, and what it's value is.
41  */
42 fprintf(stderr, format, variable1, variable2);
43 
44 /*
45  *  This is safer.
46  */
47 fprintf(stderr, "%s", variable); /* OK */
48 
49 /*
50  *  Constant strings can't be modified externally, so they're OK.
51  */
52 sprintf(buffer, "string");	/* OK */
53 
54 /*
55  *  If you're a dumb enough programmer to put something like this
56  *  in the source, you get what you deserve.  But it isn't an
57  *  externally exploitable security hole.
58  */
59 sprintf(buffer, "%s");	/* OK */
60 
61 /*
62  *  The variable may contain formatting commands!
63  */
64 sprintf(buffer, variable);	/* problematic */
65 
66 /*
67  *  This is the safe way of doing it.
68  */
69 sprintf(buffer, "%s", variable); /* OK */
70 
71 /*
72  *  The first sprintf is OK, but the second one has a problem.
73  *  This is a check for nested security problems.
74  */
75 sprintf(buffer, "%d", sprintf(buffer1, variable)); /* problematic! */
76 
77 /*
78  *  strerror(errno) isn't a problem function, and snprintf has lots
79  *  of arguments after the format string, so this is OK.
80  */
81 snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n", filename, strerror(errno)); /* OK */
82 
83 /*
84  *  Multi-line sequences get checked, too.  This one should be OK.
85  */
86 snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n",
87 	 filename,
88 	 strerror(errno)); /* also OK */
89 
90 /*
91  *  This multi-line sequence shouldn't be OK.
92  */
93 sprintf(buffer,
94 	variable);	/* problematic */
95 
96 /*
97  *  Lots of arguments after the format string.  It's up to your C
98  *  compiler to see if you're using the right number of arguments for
99  *  the format string.
100  */
101 sprintf(buffer, "%s %s %s", one, two, three); /* OK */
102 
103 /*
104  *  Nested braces should be OK.
105  */
106 printf((variable ? "%4" : "%3s"), string); /* OK */
107 
108 /*
109  *  User-supplied format strings are OK, I guess...
110  */
111 printf((variable ? fmt1 : fmt2), string3); /* OK */
112 
113 /*
114  *  There's still only one argument for printf, that's a problem.
115  */
116 printf((variable ? string1 : string2));	/* problematic */
117 
118 // sprintf(buffer, variable);	C++ comments get ignored, for good or for bad.
119 
120 /* sprintf(buffer, variable);	these comments get ignored, too */
121 
122 /*
123  *  This next bit of code is from the wu-ftp source.  It's OK, but it
124  *  gets flagged because the parser isn't smart enough to check for
125  *  previous, safe, uses of strings.
126   */
127 sprintf(s, "PASV port %i assigned to %s", i, remoteident);
128 syslog(LOG_DEBUG, s);
129 
130 /*
131  *  The following are references to the functions, but not actual
132  *  function calls, so they're OK.
133  */
134 void *foo[] = {snprintf, fprintf}; /* OK */
135 
136 /*
137  *  Your program may define a problem function in one file,
138  *  and use a variable of the same name in another file.  We don't
139  *  want to complain about uses of those variables.
140  *
141  *  I know this won't work in a real C program, but it's a way of faking
142  *  such a variable reference, to ensure that pscan ignores it.
143  */
144 fprintf[1] = 1;			/* OK */
145 
146 /*
147  *  NetBSD allows err(1,NULL).  We should, too.
148  */
149 err(1, NULL);
150