Back to success stories

Sample of Defect

Project Name CID Checker Category Developer Description
freetds2 90796 TAINTED_STRING Insecure data handling Although not a critical application this prevents a real SQL injection.
File: /src/apps/freebcp.c 
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694

        bcp_control(dbproc, BCPMAXERRS, pdata->maxerrors);

        if (FAIL == bcp_readfmt(dbproc, pdata->formatfile))
                return FALSE;

        printf("\nStarting copy...\n\n");


        if (FAIL == bcp_exec(dbproc, &li_rowsread)) {
                fprintf(stderr, "bcp copy %s failed\n", (dir == DB_IN) ? "in" : "out");
                return FALSE;
        }

        printf("%d rows copied.\n", li_rowsread);

        return TRUE;
}


int
setoptions(DBPROCESS * dbproc, BCPPARAMDATA * params)
{
        RETCODE fOK;

 < 1. Condition "dbfcmd(dbproc, "set textsize %d ", params->textsize) == 0", taking false branch
696
697
698
699
700
701
702
703
704

        if (dbfcmd(dbproc, "set textsize %d ", params->textsize) == FAIL) {
                fprintf(stderr, "setoptions() could not set textsize at %s:%d\n", __FILE__, __LINE__);
                return FALSE;
        }

        /* 
         * If the option is a filename, read the SQL text from the file.  
         * Else pass the option verbatim to the server.
         */
 
 < 2. Condition "params->options", taking true branch
705
706
707

        if (params->options) {
                FILE *optFile;
                char optBuf[256];

 < 3. Condition "(optFile = fopen(params->options, "r")) == NULL", taking false branch
709
710
711
712
713
714

                if ((optFile = fopen(params->options, "r")) == NULL) {
                        if (dbcmd(dbproc, params->options) == FAIL) {
                                fprintf(stderr, "setoptions() failed preparing options at %s:%d\n", __FILE__, __LINE__);
                                return FALSE;
                        }
                } else {
 
 << 4. "fgets" taints variable "optBuf".
 < 5. Condition "fgets(optBuf, 256 /* sizeof (optBuf) */, optFile) != NULL", taking true branch
715

                        while (fgets (optBuf, sizeof(optBuf), optFile) != NULL) {
 
 <<< CID 90796: Insecure data handling TAINTED_STRING
 <<< 6. Passing tainted string "optBuf" to "dbfcmd", which cannot accept tainted data. [Note: The source code implementation of the function has been overridden by a builtin model.]
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742

                                if (dbfcmd(dbproc, optBuf) == FAIL) {
                                        fprintf(stderr, "setoptions() failed preparing options at %s:%d\n", __FILE__, __LINE__);
                                        fclose(optFile);
                                        return FALSE;
                                }
                        }
                        if (!feof (optFile)) {
                                perror("freebcp");
                                fprintf(stderr, "error reading options file \"%s\" at %s:%d\n", params->options, __FILE__, __LINE__);
                                fclose(optFile);
                                return FALSE;
                        }
                        fclose(optFile);
                }
        }
        
        if (dbsqlexec(dbproc) == FAIL) {
                fprintf(stderr, "setoptions() failed sending options at %s:%d\n", __FILE__, __LINE__);
                return FALSE;
        }
        
        while ((fOK = dbresults(dbproc)) == SUCCEED) {
                while ((fOK = dbnextrow(dbproc)) == REG_ROW)
                        continue;
                if (fOK == FAIL) {
                        fprintf(stderr, "setoptions() failed sending options at %s:%d\n", __FILE__, __LINE__);
                        return FALSE;
Events:
4. tainted_string_argument freebcp.c:715
6. tainted_string freebcp.c:716

About Synopsys

Communities and resources