From owner-freebsd-current Tue Nov 23 13: 5:26 1999 Delivered-To: freebsd-current@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 7538A14A21 for ; Tue, 23 Nov 1999 13:05:22 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40331>; Wed, 24 Nov 1999 07:57:03 +1100 Content-return: prohibited Date: Wed, 24 Nov 1999 08:03:52 +1100 From: Peter Jeremy Subject: Re: FreeBSD security auditing project. In-reply-to: To: Kris Kennaway Cc: current@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov24.075703est.40331@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <199911231905.VAA80949@gratis.grondar.za> Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 1999-Nov-24 06:35:16 +1100, Kris Kennaway wrote: >> o unsafe use of the str*(3) functions; strcat/strcpy/sprintf &c. > >I wonder how many instances of the potentially unsafe functions there are >in the source tree? :) A 'grep | wc' equivalent over the source tree gives: gets 110 strcat 2860 strcpy 4717 strncat 167 strncpy 1514 sprintf 6839 vsprintf 133 Note that (particularly in the case of gets()), this includes the definition(s) in libraries and declarations in various headers as well as occurrences in comments, strings and structure/union members. There are also occurrences in dead or unused code (eg gnu/usr.bin/as/config/tc-vax.c calls gets() 10 times as well as referring to it in a comment). These counts are based on tokens, not strings, so (eg) fgets doesn't get counted as gets. A string search for (roughly) "scanf.*%s" also picks up 74 cases of un-bounded string scans. And these are the easy ones... Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message