File: test.c

package info (click to toggle)
pscan 1.2-9
  • links: PTS
  • area: main
  • in suites: buster, jessie, jessie-kfreebsd, lenny, squeeze, stretch, wheezy
  • size: 116 kB
  • ctags: 43
  • sloc: ansic: 310; lex: 141; makefile: 17; sh: 1
file content (151 lines) | stat: -rw-r--r-- 4,336 bytes parent folder | download | duplicates (3)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
/**********************************************************************
 * pscan: http://www.striker.ottawa.on.ca/~aland/pscan/
 *
 * Copyright (C) 2000 Alan DeKok <aland@ox.org>
 * 
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
 *
 * $Id: test.c,v 1.4 2000/07/17 22:13:15 aland Exp $
 *
 **********************************************************************/
#error Do not compile this file!

/*
 *  This file consists of a number of sample snippets of C code.
 *  Run it through the scanner by doing:
 *
 *    ./pscan ./test.c
 *
 *  You should see a number of problems reported.
 */


/*
 *  This may be a problem.
 */
fprintf(stderr, variable);	/* problematic */

/*
 *  This MIGHT be a problem, depending on where the 'format'
 *  string comes from, and what it's value is.
 */
fprintf(stderr, format, variable1, variable2);

/*
 *  This is safer.
 */
fprintf(stderr, "%s", variable); /* OK */

/*
 *  Constant strings can't be modified externally, so they're OK.
 */
sprintf(buffer, "string");	/* OK */

/*
 *  If you're a dumb enough programmer to put something like this
 *  in the source, you get what you deserve.  But it isn't an
 *  externally exploitable security hole.
 */
sprintf(buffer, "%s");	/* OK */

/*
 *  The variable may contain formatting commands!
 */
sprintf(buffer, variable);	/* problematic */

/*
 *  This is the safe way of doing it.
 */
sprintf(buffer, "%s", variable); /* OK */

/*
 *  The first sprintf is OK, but the second one has a problem.
 *  This is a check for nested security problems.
 */
sprintf(buffer, "%d", sprintf(buffer1, variable)); /* problematic! */

/*
 *  strerror(errno) isn't a problem function, and snprintf has lots
 *  of arguments after the format string, so this is OK.
 */
snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n", filename, strerror(errno)); /* OK */

/*
 *  Multi-line sequences get checked, too.  This one should be OK.
 */
snprintf(buffer, sizeof(buffer), "test: Error opening %s: %s\n",
	 filename,
	 strerror(errno)); /* also OK */

/*
 *  This multi-line sequence shouldn't be OK.
 */
sprintf(buffer,
	variable);	/* problematic */

/*
 *  Lots of arguments after the format string.  It's up to your C
 *  compiler to see if you're using the right number of arguments for
 *  the format string.
 */
sprintf(buffer, "%s %s %s", one, two, three); /* OK */

/*
 *  Nested braces should be OK.
 */
printf((variable ? "%4" : "%3s"), string); /* OK */

/*
 *  User-supplied format strings are OK, I guess...
 */
printf((variable ? fmt1 : fmt2), string3); /* OK */

/*
 *  There's still only one argument for printf, that's a problem.
 */
printf((variable ? string1 : string2));	/* problematic */

// sprintf(buffer, variable);	C++ comments get ignored, for good or for bad.

/* sprintf(buffer, variable);	these comments get ignored, too */

/*
 *  This next bit of code is from the wu-ftp source.  It's OK, but it
 *  gets flagged because the parser isn't smart enough to check for
 *  previous, safe, uses of strings.
  */
sprintf(s, "PASV port %i assigned to %s", i, remoteident);
syslog(LOG_DEBUG, s);

/*
 *  The following are references to the functions, but not actual
 *  function calls, so they're OK.
 */
void *foo[] = {snprintf, fprintf}; /* OK */

/*
 *  Your program may define a problem function in one file,
 *  and use a variable of the same name in another file.  We don't
 *  want to complain about uses of those variables.
 *
 *  I know this won't work in a real C program, but it's a way of faking
 *  such a variable reference, to ensure that pscan ignores it.
 */
fprintf[1] = 1;			/* OK */

/*
 *  NetBSD allows err(1,NULL).  We should, too.
 */
err(1, NULL);