[sr #107525] Use of dangerous/banned functions (Particular Instances)

Jeffrey Walton INVALID.NOREPLY at gnu.org
Fri Nov 19 01:00:18 CET 2010


                 Summary: Use of dangerous/banned functions (Particular
                 Project: GnuTLS
            Submitted by: noloader
            Submitted on: Fri 19 Nov 2010 12:00:16 AM GMT
                Category: None
                Priority: 5 - Normal
                Severity: 3 - Normal
                  Status: None
                 Privacy: Public
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
        Operating System: None



GnuTLS is using some functions which cannot indicate error; and other times
the project is ignoring return values from known unsafe functions. The
attached audit displays usage of strcpy, strncpy, strcat, strncat, sprintf,
and vsprintf.

In many cases, the function in question does not return a useful return
value*, so GnuTLS has no way of detecting abnormalities. It might not be
appropriate to assume SUCCESS under all circumstances, especially in a hostile

Other functions return a value, but the return value is ignored - for example
sprintf and snprintf in certtool.c. In the case of security software, it is
often prudent to check return values in all cases where a value is available.

Attached is the jagged script used to generate the audit (enhancements
welcome), and the results of the audit. A sample of the audit follows.

===== certtool.c =====
124: sprintf (&(buf[i * 3]), "%02X%s", raw[i],
===== cli.c =====
876: strcpy (b, "\r\n");
===== common.c =====
64: sprintf (&(buf[i * 3]), "%02X%s", raw[i],
===== crypt.c =====
165: strcpy (_salt, salt);
578: strcpy (tmpname, tpasswd);
579: strcat (tmpname, ".tmp");
131: sprintf (line, "%d:%s:%s\n", index, str_n.data, str_g.data);
511: sprintf (result, "%s:%s", txt_verifier.data, txt_salt.data);


* For example, strcpy(3) man page states (Ubuntu 10.x):
    RETURN VALUE: The  strcpy()  and strncpy() functions return a pointer
    to the destination string dest.

man pages typically under-play the return value. From The Open Group Base

    RETURN VALUE: The strcpy() function shall return s1; no return value
    is reserved to indicate an error.


File Attachments:

Date: Fri 19 Nov 2010 12:00:16 AM GMT  Name: audit-unsafe-fns.txt  Size: 3kB 
 By: noloader

Date: Fri 19 Nov 2010 12:00:16 AM GMT  Name: audit-unsafe.sh  Size: 808B  
By: noloader



Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list