Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 24 Nov 1999 08:03:52 +1100
From:      Peter Jeremy <jeremyp@gsmx07.alcatel.com.au>
To:        Kris Kennaway <kris@hub.freebsd.org>
Cc:        current@FreeBSD.ORG
Subject:   Re: FreeBSD security auditing project.
Message-ID:  <99Nov24.075703est.40331@border.alcanet.com.au>
In-Reply-To: <Pine.BSF.4.21.9911231123090.38330-100000@hub.freebsd.org>
References:  <199911231905.VAA80949@gratis.grondar.za> <Pine.BSF.4.21.9911231123090.38330-100000@hub.freebsd.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 1999-Nov-24 06:35:16 +1100, Kris Kennaway wrote:
>> o unsafe use of the str*(3) functions; strcat/strcpy/sprintf &c.
>
>I wonder how many instances of the potentially unsafe functions there are
>in the source tree? :)

A 'grep | wc' equivalent over the source tree gives:

gets        110
strcat     2860
strcpy     4717
strncat     167
strncpy    1514
sprintf    6839
vsprintf    133

Note that (particularly in the case of gets()), this includes the
definition(s) in libraries and declarations in various headers as well
as occurrences in comments, strings and structure/union members.
There are also occurrences in dead or unused code (eg
gnu/usr.bin/as/config/tc-vax.c calls gets() 10 times as well as
referring to it in a comment).

These counts are based on tokens, not strings, so (eg) fgets doesn't
get counted as gets.

A string search for (roughly) "scanf.*%s" also picks up 74 cases of
un-bounded string scans.

And these are the easy ones...

Peter


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Nov24.075703est.40331>