From owner-freebsd-current  Tue Nov 23 21:52: 2 1999
Delivered-To: freebsd-current@freebsd.org
Received: from green.dyndns.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 01AB114ECD; Tue, 23 Nov 1999 21:51:24 -0800 (PST)
	(envelope-from green@FreeBSD.org)
Received: from localhost (green@localhost [127.0.0.1])
	by green.dyndns.org (8.9.3/8.9.3) with ESMTP id XAA40676;
	Tue, 23 Nov 1999 23:33:14 -0500 (EST)
	(envelope-from green@FreeBSD.org)
Date: Tue, 23 Nov 1999 23:33:14 -0500 (EST)
From: Brian Fundakowski Feldman <green@FreeBSD.org>
X-Sender: green@green.dyndns.org
To: peter.jeremy@alcatel.com.au
Cc: Kris Kennaway <kris@hub.freebsd.org>, current@FreeBSD.org
Subject: Re: FreeBSD security auditing project.
In-Reply-To: <99Nov24.075703est.40331@border.alcanet.com.au>
Message-ID: <Pine.BSF.4.10.9911232317170.40485-100000@green.dyndns.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 24 Nov 1999, Peter Jeremy wrote:

> A 'grep | wc' equivalent over the source tree gives:
> 
> gets        110
> strcat     2860
> strcpy     4717
> strncat     167
> strncpy    1514
> sprintf    6839
> vsprintf    133
> 
...
> A string search for (roughly) "scanf.*%s" also picks up 74 cases of
> un-bounded string scans.
> 
> And these are the easy ones...

I'd like to note something.  Strcat isn't necessarily unsafe, and strncat()
isn't necessarily safe.  It is not possible to just tell people "look
for this and replace it with this."
  For example, with fscanf():

	char buf[80], something[80];
#if 1
	if (fscanf(file, "%d:foo:%.*s", &smurf, sizeof(something),
	    something) 	/* This is safe, of course. */
#else
	if (fscanf(file, "%d:foo:%s", &smurf, something);
			/* I'm using %s here, but it's safe.  Compare
			 * the buffer sizes. */
#endif

For a better example, in the real world (from src/sys/netinet/ip_fw.c):

#define SNPARGS(buf, len) buf + len, sizeof(buf) > len ? sizeof(buf) - len : 0
        char action2[32], proto[47], name[18], fragment[17];
        /* Print command name */
        snprintf(SNPARGS(name, 0), "ipfw: %d", f ? f->fw_number : -1);

Despite the fact that the buffer name[] was made to be exactly the
largest size, where sprintf() _would_be_safe_, some people insist
on using snprintf() "for stability".  Don't get caught doing this.
If you find a strcat() (for example), see if it's safe.  If it is,
then why replace it?
	

> 
> Peter
> 
> 

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message