vulns.i4d

检查C/C++源程序中的可能错误和容易遭受弱点攻击的地方

desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC mkstemp {
desc = TOCTOUB,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC mktemp {
desc = TOCTOUB,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC mount {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC mrand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC nftw {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nis_getservlist {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nis_mkdir {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nis_ping {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nis_rmdir {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nlist {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC nrand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC open {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC opendir {
desc = OPEN_DESC,
solution = OPEN_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC openlog {
desc = TOCTOUB,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUB
}
FUNC pathconf {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC pathfind {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC popen {
desc = "Easy to run arbitrary commands through env vars.",
solution = "Use fork + execve + pipes instead.",
risk = MOST_RISKY
}
FUNC printf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_PRINTF
}
FUNC rand {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC random {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC read {
desc = BO_LOOP,
solution = BO_LOOP_SOL,
risk = MODERATE_RISK,
input = TRUE
}
FUNC readlink {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC realpath {
desc = "Depending on impl, b.oflow problem.  Also, potential TOCTOU problem.",
solution = "Allocate your buf to be of size MAXPATHLEN and manually check arg lengths.  Also, manipulate file descriptors when possible.",
risk = MODERATE_RISK
}
FUNC recv {
desc = INPUT_DESC,
solution = INPUT_SOL,
risk = LOW_RISK,
input = TRUE
}
FUNC recvfrom {
desc = INPUT_DESC,
solution = INPUT_SOL,
risk = LOW_RISK,
input = TRUE
}
FUNC recvmsg {
desc = INPUT_DESC,
solution = INPUT_SOL,
risk = LOW_RISK,
input = TRUE
}

FUNC remove {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC rename {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC rmdir {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC rmdirp {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC scandir {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC scanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SCANF,
input = TRUE
}
FUNC select {
desc = "Adding a +1 to MAX_FDS can cause a 1 bit heap overflow.",
solution = "The +1 is already in the macro.  Leave it out.",
risk = LOW_RISK
}
FUNC snprintf {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK,
handler = H_SNPRINTF
}
FUNC socket {
desc = "If a socket created by root is passed to children, children might be able to DoS using ioctl.",
solution = "Avoid doing it if possible, especially if you don't trust child processes.",
risk = LOW_RISK
}
FUNC sprintf {
desc = BO_HIGH,
solution = "Use snprintf if available, or precision specifiers, if available.",
risk = VERY_RISKY,
handler = H_SPRINTF
}
FUNC srand {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC srand48 {
desc = RAND,
solution = RAND_SOL,
risk = RISKY
}
FUNC sscanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SSCANF
}
FUNC stat {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC statvfs {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC strcadd {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK
}
FUNC strcat {
desc = BO_HIGH,
solution = "Use strncat instead.",
risk = VERY_RISKY,
handler = H_STRCPY
}
FUNC strccpy {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK
}
FUNC strcpy {
desc = BO_HIGH,
solution = "Use strncpy instead.",
risk = VERY_RISKY,
handler = H_STRCPY
}
FUNC streadd {
desc = BO_MED,
solution = "Make sure the dest param is 4x bigger than the src, minimum.",
risk = RISKY
}
FUNC strecpy {
desc = BO_MED,
solution = "Make sure the dest param can hold x4 more stuff than in the src, minimum.",
risk = RISKY
}
FUNC strncpy {
desc = BO_LOW,
solution = "Make sure that the destination buffer is as big as you think it is.",
risk = LOW_RISK,
handler = H_STRCPY
}
FUNC strtrns {
desc = BO_MED,
solution = "Manually check to see the dest is at least the same size as the src string.",
risk = RISKY
}
FUNC swprintf {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK,
handler = H_SNPRINTF
}
FUNC symlink {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC syslog {
desc = BO_LIB,
solution = BO_LIB_SOL,
risk = LOW_RISK,
handler = H_SYSLOG
}
FUNC system {
desc = "Easy to run arbitrary commands through env vars. Also, potential TOCTOU problems.",
solution = "Use fork + execve instead.",
risk = MOST_RISKY
}
FUNC t_open {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC tempnam {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC tmpfile {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC tmpnam {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC tmpnam_r {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC truncate {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC ttyname {
desc = "Value should not be trusted.",
solution = "Don't trust it.",
risk = RISKY
}
FUNC umask {
desc = "Setting a liberal umask can be bad when you exec an untrusted process.",
solution = "Reset the umask to something sane before execing.",
risk = RISKY
}
FUNC umount {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC unlink {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC utime {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC utimes {
desc = TOCTOUA,
solution = TOCTOU_SOL,
risk = RISKY,
handler = H_TOCTOUA
}
FUNC utmpname {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC utmpxname {
desc = TOCTOUG,
solution = TOCTOU_SOL,
risk = RISKY
}
FUNC vfscanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SSCANF,
input = TRUE
}
FUNC vfwprintf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_FPRINTF
}
FUNC vscanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SCANF,
input = TRUE
}
FUNC vsnprintf {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK,
handler = H_SNPRINTF
}
FUNC vsprintf {
desc = BO_HIGH,
solution = "Use vsnprintf if available, or precision specifiers.",
risk = RISKY,
handler = H_SPRINTF
}
FUNC vsscanf {
desc = BO_HIGH,
solution = SCANF_SOL,
risk = VERY_RISKY,
handler = H_SSCANF
}
FUNC vswprintf {
desc = BO_LOW,
solution = BO_MAXLEN_SOL,
risk = LOW_RISK,
handler = H_SNPRINTF
}
FUNC vwprintf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_PRINTF
}
FUNC wprintf {
desc = FORMAT_DESC,
solution = FORMAT_SOL,
risk = LOW_RISK,
handler = H_PRINTF
}

/*
 * Grammar for this file format, for those who care:
 *
 * program: var program
 *       | def program
 *       | EOF;
 *
 * var: id '=' (string|int) ';';
 * def: 'FUNC' id '{' (guts|) '}';
 * guts: id '=' (string|id|int) opt;
 * opt:  ',' guts
 *       |;
 */