Project Name | CID | Checker | Category | Developer Description |
---|---|---|---|---|
kmod | 150468 | STRING_OVERFLOW | Security best practices violations | Buffer overflow and possibly corrupting the module database. Triggered the development of a new set of APIs (scratchbuf) inside the project to elegantly deal with stack + heap buffers. |
1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 |
fputs("# Aliases for symbols, used by symbol_request().\n", out); hash_iter_init(depmod->symbols, &iter); while (hash_iter_next(&iter, NULL, &v)) { const struct symbol *sym = v; if (sym->owner == NULL) continue; fprintf(out, "alias symbol:%s %s\n", sym->name, sym->owner->modname); } return 0; } static int output_symbols_bin(struct depmod *depmod, FILE *out) { struct index_node *idx; char alias[1024]; size_t baselen = sizeof("symbol:") - 1; struct hash_iter iter; const void *v; |
< 1. Condition "out == stdout", taking false branch.
1927 1928 1929 1930 |
if (out == stdout) return 0; idx = index_create(); |
< 2. Condition "idx == NULL", taking false branch.
1931 1932 1933 1934 1935 |
if (idx == NULL) return -ENOMEM; memcpy(alias, "symbol:", baselen); hash_iter_init(depmod->symbols, &iter); |
< 3. Condition "hash_iter_next(&iter, NULL, &v)", taking true branch.
< 6. Condition "hash_iter_next(&iter, NULL, &v)", taking true branch.
1937 1938 1939 |
while (hash_iter_next(&iter, NULL, &v)) { int duplicate; const struct symbol *sym = v; |
< 4. Condition "sym->owner == NULL", taking true branch.
< 7. Condition "sym->owner == NULL", taking false branch.
1941 |
if (sym->owner == NULL) |
< 5. Continuing loop.
1942 |
continue;
|
<<< CID 150468: Security best practices violations STRING_OVERFLOW <<< 8. You might overrun the 1024-character fixed-size string "&alias[baselen]" by copying "sym->name" without checking the length.
1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 |
strcpy(alias + baselen, sym->name); duplicate = index_insert(idx, alias, sym->owner->modname, sym->owner->idx); if (duplicate && depmod->cfg->warn_dups) WRN("duplicate module syms:\n%s %s\n", alias, sym->owner->modname); } index_write(idx, out); index_destroy(idx); return 0; } static int output_builtin_bin(struct depmod *depmod, FILE *out) { FILE *in; struct index_node *idx; char infile[PATH_MAX], line[PATH_MAX], modname[PATH_MAX]; if (out == stdout) return 0; snprintf(infile, sizeof(infile), "%s/modules.builtin", depmod->cfg->dirname); in = fopen(infile, "r"); |
8. fixed_size_dest | depmod.c:1944 |