Project Name | CID | Checker | Category | Developer Description |
---|---|---|---|---|
freetds2 | 90796 | TAINTED_STRING | Insecure data handling | Although not a critical application this prevents a real SQL injection. |
672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 |
bcp_control(dbproc, BCPMAXERRS, pdata->maxerrors); if (FAIL == bcp_readfmt(dbproc, pdata->formatfile)) return FALSE; printf("\nStarting copy...\n\n"); if (FAIL == bcp_exec(dbproc, &li_rowsread)) { fprintf(stderr, "bcp copy %s failed\n", (dir == DB_IN) ? "in" : "out"); return FALSE; } printf("%d rows copied.\n", li_rowsread); return TRUE; } int setoptions(DBPROCESS * dbproc, BCPPARAMDATA * params) { RETCODE fOK; |
< 1. Condition "dbfcmd(dbproc, "set textsize %d ", params->textsize) == 0", taking false branch
696 697 698 699 700 701 702 703 704 |
if (dbfcmd(dbproc, "set textsize %d ", params->textsize) == FAIL) { fprintf(stderr, "setoptions() could not set textsize at %s:%d\n", __FILE__, __LINE__); return FALSE; } /* * If the option is a filename, read the SQL text from the file. * Else pass the option verbatim to the server. */ |
< 2. Condition "params->options", taking true branch
705 706 707 |
if (params->options) { FILE *optFile; char optBuf[256]; |
< 3. Condition "(optFile = fopen(params->options, "r")) == NULL", taking false branch
709 710 711 712 713 714 |
if ((optFile = fopen(params->options, "r")) == NULL) { if (dbcmd(dbproc, params->options) == FAIL) { fprintf(stderr, "setoptions() failed preparing options at %s:%d\n", __FILE__, __LINE__); return FALSE; } } else { |
<< 4. "fgets" taints variable "optBuf".
< 5. Condition "fgets(optBuf, 256 /* sizeof (optBuf) */, optFile) != NULL", taking true branch
715 |
while (fgets (optBuf, sizeof(optBuf), optFile) != NULL) { |
<<< CID 90796: Insecure data handling TAINTED_STRING <<< 6. Passing tainted string "optBuf" to "dbfcmd", which cannot accept tainted data. [Note: The source code implementation of the function has been overridden by a builtin model.]
716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 |
if (dbfcmd(dbproc, optBuf) == FAIL) { fprintf(stderr, "setoptions() failed preparing options at %s:%d\n", __FILE__, __LINE__); fclose(optFile); return FALSE; } } if (!feof (optFile)) { perror("freebcp"); fprintf(stderr, "error reading options file \"%s\" at %s:%d\n", params->options, __FILE__, __LINE__); fclose(optFile); return FALSE; } fclose(optFile); } } if (dbsqlexec(dbproc) == FAIL) { fprintf(stderr, "setoptions() failed sending options at %s:%d\n", __FILE__, __LINE__); return FALSE; } while ((fOK = dbresults(dbproc)) == SUCCEED) { while ((fOK = dbnextrow(dbproc)) == REG_ROW) continue; if (fOK == FAIL) { fprintf(stderr, "setoptions() failed sending options at %s:%d\n", __FILE__, __LINE__); return FALSE; |
4. tainted_string_argument | freebcp.c:715 | |
6. tainted_string | freebcp.c:716 |