Back to success stories

Sample of Defect

Project Name CID Checker Category Developer Description
elbing/harvey 90641 BUFFER_SIZE_WARNING Memory - illegal accesses Oh joy. This is in the key management code which converts passwords. This has also been there forever.
File: /sys/src/libauthsrv/opasstokey.c 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

/*
 * This file is part of the UCB release of Plan 9. It is subject to the license
 * terms in the LICENSE file found in the top-level directory of this
 * distribution and at http://akaros.cs.berkeley.edu/files/Plan9License. No
 * part of the UCB release of Plan 9, including this file, may be copied,
 * modified, propagated, or distributed except according to the terms contained
 * in the LICENSE file.
 */

#include <u.h>
#include <libc.h>
#include <authsrv.h>

int
opasstokey(char *key, char *p)
{
        uint8_t t[10];
        int c, n;

        n = strlen(p);
        memset(t, ' ', sizeof t);
 
 < 1. Condition "n < 5", taking false branch
22
23

        if(n < 5)
                return 0;
 
 < 2. Condition "n > 10", taking true branch
24
25

        if(n > 10)
                n = 10;
 
 <<< CID 90641: Memory - illegal accesses BUFFER_SIZE_WARNING
 <<< 3. Calling strncpy with a maximum size argument of 10 bytes on destination array "t" of size 10 bytes might leave the destination string unterminated.
26

        strncpy((char*)t, p, n);
 
 < 4. Condition "n >= 9", taking true branch
27
28

        if(n >= 9){
                c = p[8] & 0xf;
 
 < 5. Condition "n == 10", taking true branch
29
30

                if(n == 10)
                        c += p[9] << 4;
 
 < 6. Condition "n < 8", taking true branch
 < 9. Condition "n < 8", taking true branch
 < 12. Condition "n < 8", taking true branch
 < 15. Condition "n < 8", taking false branch
31

                for(n = 0; n < 8; n++)
 
 < 7. Condition "c & (1 << n)", taking true branch
 < 10. Condition "c & (1 << n)", taking true branch
 < 13. Condition "c & (1 << n)", taking false branch
32

                        if(c & (1 << n))
 
 < 8. Jumping back to the beginning of the loop
 < 11. Jumping back to the beginning of the loop
 < 14. Jumping back to the beginning of the loop
33
34

                                t[n] -= ' ';
        }
 
 < 16. Condition "n < 7", taking true branch
 < 18. Condition "n < 7", taking true branch
 < 20. Condition "n < 7", taking false branch
35

        for(n = 0; n < 7; n++)
 
 < 17. Jumping back to the beginning of the loop
 < 19. Jumping back to the beginning of the loop
36
37
38

                key[n] = (t[n] >> n) + (t[n+1] << (8 - (n+1)));
        return 1;
}
Events:
3. buffer_size_warning opasstokey.c:26

About Synopsys

Communities and resources