search

i-nex / I-Nex

System information tool written in gambas3, python, bash
http://i-nex.linux.pl/
174 stars 24 forks source link

some potential security issues - #47

Closed shirishag75 closed 7 years ago

shirishag75 commented 7 years ago

See http://www.dwheeler.com/flawfinder/ .

I did the following -

┌─[shirish@debian] - [~/games/I-Nex] - [10043]
└─[$] flawfinder -Q -c .                                                                                                              
Flawfinder version 1.31, (C) 2001-2014 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 169
./JSON/i-nex-edid.c:137:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static char name[4];
./JSON/i-nex-edid.c:153:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    const unsigned char empty[3] = { 0, 0, 0 };
./JSON/i-nex-edid.c:211:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static char ret[128];
./JSON/i-nex-edid.c:241:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
    static unsigned char name[53];
./JSON/i-nex-edid.c:1587:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char buf[3];
./JSON/i-nex-edid.c:1621:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char buf[3];
./JSON/i-nex-edid.c:1683:  [2] (buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119:CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.
        char buf[3];
./JSON/i-nex-edid.c:1776:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if ((fd = open(argv[1], O_RDONLY)) == -1) {
./JSON/i-nex-edid.c:1783:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if ((fd = open(argv[1], O_RDONLY)) == -1) {
./JSON/i-nex-edid.c:1787:  [2] (misc) open:
  Check when opening files - can an attacker redirect it (via symlinks),
  force the opening of special file type (e.g., device files), move things
  around to create a race condition, control its ancestors, or change its
  contents? (CWE-362).
        if ((ofd = open(argv[2], O_WRONLY)) == -1) {
./JSON/i-nex-edid.c:319:  [1] (buffer) strncat:
  Easily used incorrectly (e.g., incorrectly computing the correct maximum
  size to add) (CWE-120). Consider strcat_s, strlcat, or automatically
  resizing strings.
        strncat((char *)name, (char *)x + 5, 13);
./JSON/i-nex-edid.c:324:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
                      strlen((char *)name)));
./JSON/i-nex-edid.c:1521:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
    i = read(fd, ret + len, size - len);
./JSON/i-nex-edid.c:1576:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
        start = s + strlen(indentation);
./JSON/i-nex-edid.c:1735:  [1] (buffer) strlen:
  Does not handle strings that are not \0-terminated; if given one it may
  perform an over-read (it could cause a crash if unprotected) (CWE-126).
    for (i = strlen(name); i < 15; i++)

ANALYSIS SUMMARY:

Hits = 15
Lines analyzed = 3128 in approximately 0.39 seconds (7995 lines/second)
Physical Source Lines of Code (SLOC) = 2745
Hits@level = [0]   0 [1]   5 [2]  10 [3]   0 [4]   0 [5]   0
Hits@level+ = [0+]  15 [1+]  15 [2+]  10 [3+]   0 [4+]   0 [5+]   0
Hits/KSLOC@level+ = [0+] 5.46448 [1+] 5.46448 [2+] 3.64299 [3+]   0 [4+]   0 [5+]   0
Dot directories skipped = 7 (--followdotdir overrides)
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
There may be other security vulnerabilities; review your code!
See 'Secure Programming for Linux and Unix HOWTO'
(http://www.dwheeler.com/secure-programs) for more information.

While I don't understand the code, it seems that some of the things therein could be improved perhaps.

eloaders commented 7 years ago

i-nex-edid is a clone of the program edid-decode. Original: https://cgit.freedesktop.org/xorg/app/edid-decode You can report an error the original author.