[sr #107525] Use of dangerous/banned functions (Particular Instances)

Jeffrey Walton INVALID.NOREPLY at gnu.org
Fri Nov 19 01:00:18 CET 2010 

URL:
  <http://savannah.gnu.org/support/?107525>

                 Summary: Use of dangerous/banned functions (Particular
Instances)
                 Project: GnuTLS
            Submitted by: noloader
            Submitted on: Fri 19 Nov 2010 12:00:16 AM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None

    _______________________________________________________

Details:

GnuTLS is using some functions which cannot indicate error; and other times
the project is ignoring return values from known unsafe functions. The
attached audit displays usage of strcpy, strncpy, strcat, strncat, sprintf,
and vsprintf.

In many cases, the function in question does not return a useful return
value*, so GnuTLS has no way of detecting abnormalities. It might not be
appropriate to assume SUCCESS under all circumstances, especially in a hostile
environment

Other functions return a value, but the return value is ignored - for example
sprintf and snprintf in certtool.c. In the case of security software, it is
often prudent to check return values in all cases where a value is available.

Attached is the jagged script used to generate the audit (enhancements
welcome), and the results of the audit. A sample of the audit follows.

===== certtool.c =====
124: sprintf (&(buf[i * 3]), "%02X%s", raw[i],
===== cli.c =====
876: strcpy (b, "\r\n");
===== common.c =====
64: sprintf (&(buf[i * 3]), "%02X%s", raw[i],
===== crypt.c =====
165: strcpy (_salt, salt);
578: strcpy (tmpname, tpasswd);
579: strcat (tmpname, ".tmp");
131: sprintf (line, "%d:%s:%s\n", index, str_n.data, str_g.data);
511: sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);
....

==========

* For example, strcpy(3) man page states (Ubuntu 10.x):
    RETURN VALUE: The  strcpy()  and strncpy() functions return a pointer
    to the destination string dest.

man pages typically under-play the return value. From The Open Group Base
Specifications
(http://www.opengroup.org/onlinepubs/009695399/functions/strcpy.html):

    RETURN VALUE: The strcpy() function shall return s1; no return value
    is reserved to indicate an error.




    _______________________________________________________

File Attachments:


-------------------------------------------------------
Date: Fri 19 Nov 2010 12:00:16 AM GMT  Name: audit-unsafe-fns.txt  Size: 3kB 
 By: noloader

<http://savannah.gnu.org/support/download.php?file_id=22055>
-------------------------------------------------------
Date: Fri 19 Nov 2010 12:00:16 AM GMT  Name: audit-unsafe.sh  Size: 808B  
By: noloader

<http://savannah.gnu.org/support/download.php?file_id=22054>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107525>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

More information about the Gnutls-devel mailing list