search

openwall / john

John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs
https://www.openwall.com/john/
Other
10.3k stars 2.1k forks source link

scan-build error messages #1209

Closed frank-dittrich closed 8 years ago

frank-dittrich commented 9 years ago

On a 64bit Linux avx system:

(bleeding-jumbo)src $ ./configure > /dev/null
(bleeding-jumbo)src $ scan-build make -s
scan-build: Using '/usr/bin/clang' for static analysis
jumbo.c:123:20: warning: Potential buffer overflow. Replace with 'sizeof(ret) - strlen(ret) - 1' or use a safer 'strlcat' API
        strncat(ret, src, sizeof(ret) - 1);
                          ^~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
1 warning generated.
escrypt/sha256.c:183:2: warning: Value stored to 't0' is never read
        t0 = t1 = 0;
        ^    ~~~~~~
1 warning generated.
AFS_fmt.c:372:31: warning: The right operand of '^' is a garbage value
                        DES_IV[0] = binary.data[0] ^ *ptr_binary++;
                                                   ^ ~~~~~~~~~~~~~
1 warning generated.
timer.c:125:3: warning: Value stored to 'retval' is never read
                retval = 0;
                ^        ~
1 warning generated.
dynamic_fmt.c:2777:2: warning: Value stored to 'IPBw' is never read
        IPBw += inc;
        ^       ~~~
dynamic_fmt.c:7699:3: warning: Value stored to 'cp' is never read
                cp = Setup->szFORMAT_NAME;
                ^    ~~~~~~~~~~~~~~~~~~~~
dynamic_fmt.c:7908:10: warning: Dereference of null pointer
        valid = pFmtLocal->methods.valid(ciphertext, pFmtLocal);
                ^~~~~~~~~~~~~~~~~~~~~~~~
3 warnings generated.
zip2john.c:261:16: warning: Value stored to 'cp' is never read
                                if (store) cp += sprintf(cp, "*$/zip2$:::::%s\n", bname);
                                           ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
keepass2john.c:192:3: warning: Value stored to 'filesize' is never read
                filesize = (long long)get_file_size(keyfile);
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
keepass2john.c:226:3: warning: Value stored to 'count' is never read
                count = fread(buffer, filesize, 1, kfp);
                ^       ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
keystore2john.c:131:4: warning: Value stored to 'p' is never read
                        p = fgetc(fp);
                        ^   ~~~~~~~~~
keystore2john.c:166:4: warning: Value stored to 'p' is never read
                        p = fgetc(fp);
                        ^   ~~~~~~~~~
keystore2john.c:178:5: warning: Value stored to 'p' is never read
                                p = fgetc(fp);
                                ^   ~~~~~~~~~
3 warnings generated.
7z_fmt_plug.c:194:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$"); /* salt */
        ^   ~~~~~~~~~~~~~~~~~~
1 warning generated.
aix_smd5_fmt_plug.c:121:8: warning: Value stored to 'keeptr' during its initialization is never read
        char *keeptr = ctcopy;
              ^~~~~~   ~~~~~~
aix_smd5_fmt_plug.c:137:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$");
        ^   ~~~~~~~~~~~~~~~~~~
2 warnings generated.
aix_ssha_fmt_plug.c:192:8: warning: Value stored to 'keeptr' during its initialization is never read
        char *keeptr = ctcopy;
              ^~~~~~   ~~~~~~
1 warning generated.
clipperz_srp_fmt_plug.c:279:2: warning: Value stored to 'p' is never read
        p = ciphertext;
        ^   ~~~~~~~~~~
1 warning generated.
cryptsha256_fmt_plug.c:337:40: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_pc-2-len_pc); cp += (tot_pc-len_pc);
                                              ^     ~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:353:45: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppsc-2-len_ppsc);  cp += (tot_ppsc-len_ppsc);
                                                   ^     ~~~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:369:45: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppsc-2-len_ppsc);  cp += (tot_ppsc-len_ppsc);
                                                   ^     ~~~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:384:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppc-2-len_ppc);  cp += (tot_ppc-len_ppc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:407:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppc-2-len_ppc);  cp += (tot_ppc-len_ppc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:422:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_psc-2-len_psc);  cp += (tot_psc-len_psc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:461:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_psc-2-len_psc);  cp += (tot_psc-len_psc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha256_fmt_plug.c:505:2: warning: Value stored to 'next_cp' is never read
        next_cp = cp + (2*64*BLKS);
        ^         ~~~~~~~~~~~~~~~~
8 warnings generated.
cryptsha512_fmt_plug.c:321:40: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_pc-2-len_pc); cp += (tot_pc-len_pc);
                                              ^     ~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:337:45: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppsc-2-len_ppsc);  cp += (tot_ppsc-len_ppsc);
                                                   ^     ~~~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:353:45: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppsc-2-len_ppsc);  cp += (tot_ppsc-len_ppsc);
                                                   ^     ~~~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:368:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppc-2-len_ppc);  cp += (tot_ppc-len_ppc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:391:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_ppc-2-len_ppc);  cp += (tot_ppc-len_ppc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:406:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_psc-2-len_psc);  cp += (tot_psc-len_psc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:445:43: warning: Value stored to 'cp' is never read
        memcpy(cp, padding, tot_psc-2-len_psc);  cp += (tot_psc-len_psc);
                                                 ^     ~~~~~~~~~~~~~~~~~
cryptsha512_fmt_plug.c:489:2: warning: Value stored to 'next_cp' is never read
        next_cp = cp + (2*128*BLKS);
        ^         ~~~~~~~~~~~~~~~~~
8 warnings generated.
dmg_fmt_plug.c:490:3: warning: Value stored to 'j' is never read
                j = 0;
                ^   ~
dmg_fmt_plug.c:545:3: warning: Value stored to 'j' is never read
                j = 0;
                ^   ~
2 warnings generated.
gpg_fmt_plug.c:372:2: warning: Value stored to 'res' is never read
        res = atoi(p);
        ^     ~~~~~~~
gpg_fmt_plug.c:1227:5: warning: Value stored to 'length' is never read
                                length += give_multi_precision_integer(out, length, &cur_salt->ql, cur_salt->q);
                                ^         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
idea_plug.c:414:2: warning: Value stored to 'tin0' is never read
        tin0=tin1=tout0=tout1=xor0=xor1=0;
        ^    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
idea_plug.c:566:2: warning: Value stored to 'v0' is never read
        v0=v1=ti[0]=ti[1]=t=c=cc=0;
        ^  ~~~~~~~~~~~~~~~~~~~~~~~
idea_plug.c:647:2: warning: Value stored to 'l0' is never read
        l0=l1=d[0]=d[1]=0;
        ^  ~~~~~~~~~~~~~~
idea_plug.c:754:2: warning: Value stored to 't' is never read
        t=v0=v1=ti[0]=ti[1]=0;
        ^ ~~~~~~~~~~~~~~~~~~~
4 warnings generated.
keystore_fmt_plug.c:162:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$"); /* skip hash */
        ^   ~~~~~~~~~~~~~~~~~~
keystore_fmt_plug.c:186:2: warning: Value stored to 'p' is never read
        p = strtokm(ctcopy, "$");
        ^   ~~~~~~~~~~~~~~~~~~~~
keystore_fmt_plug.c:187:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$");
        ^   ~~~~~~~~~~~~~~~~~~
keystore_fmt_plug.c:188:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$");
        ^   ~~~~~~~~~~~~~~~~~~
4 warnings generated.
luks_fmt_plug.c:393:2: warning: Value stored to 'res' is never read
        res = atoi(p);
        ^     ~~~~~~~
luks_fmt_plug.c:483:3: warning: Value stored to 'p' is never read
                p = strtokm(NULL, "$");
                ^   ~~~~~~~~~~~~~~~~~~
2 warnings generated.
md2_plug.c:172:4: warning: Value stored to 'current' is never read
                        current = 0;
                        ^         ~
1 warning generated.
mediawiki_fmt_plug.c:148:2: warning: Value stored to 'i' is never read
        i = strlen(ciphertext);
        ^   ~~~~~~~~~~~~~~~~~~
1 warning generated.
ntlmv1_mschapv2_fmt_plug.c:219:41: warning: The left operand of '>>' is a garbage value
        key[1] = (key_56[0] << 7) | (key_56[1] >> 1);
                                     ~~~~~~~~~ ^
1 warning generated.
office_common_plug.c:72:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*");
        ^   ~~~~~~~~~~~~~~~~~~
office_common_plug.c:73:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*");
        ^   ~~~~~~~~~~~~~~~~~~
office_common_plug.c:74:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*");
        ^   ~~~~~~~~~~~~~~~~~~
office_common_plug.c:75:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*");
        ^   ~~~~~~~~~~~~~~~~~~
office_common_plug.c:76:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*");
        ^   ~~~~~~~~~~~~~~~~~~
5 warnings generated.
pfx_fmt_plug.c:205:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
        memcpy(&(psalt->pfx), p12, sizeof(PKCS12));
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
pkzip_fmt_plug.c:207:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Out of data, reading count of hashes field"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:210:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Count of hashes field out of range"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:213:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Number of valid hash bytes empty or out of range"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:218:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "Invalid data enumeration type"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:222:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "Invalid type enumeration"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:226:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "Invalid compressed length"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:230:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "Invalid data length value"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:233:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "Invalid CRC value"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:237:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "Invalid offset length"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:241:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "Invalid offset length"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:246:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "Compression type enumeration"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:249:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "Invalid data length value"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:253:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "invalid checksum value"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:257:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "invalid checksum2 value"; goto Bail;}
                                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:263:6: warning: Value stored to 'sFailStr' is never read
                                        sFailStr = "invalid checksum value"; goto Bail; }
                                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:293:6: warning: Value stored to 'sFailStr' is never read
                                        sFailStr = "length of full data does not match the salt len"; goto Bail; }
                                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:295:6: warning: Value stored to 'sFailStr' is never read
                                        sFailStr = "invalid inline data"; goto Bail; }
                                        ^          ~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:299:5: warning: Value stored to 'sFailStr' is never read
                                sFailStr = "invalid partial data"; goto Bail; }
                                ^          ~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:662:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
        memcpy(psalt->zip_data, H[0], ex_len[0]);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pkzip_fmt_plug.c:1430:6: warning: Value stored to 'SigChecked' is never read
                                        SigChecked = 1;
                                        ^            ~
20 warnings generated.
In file included from rar5_fmt_plug.c:40:
./rar5_common.h:109:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "$");
        ^   ~~~~~~~~~~~~~~~~~~
1 warning generated.
rar_fmt_plug.c:306:3: warning: Value stored to 'ex_len' is never read
                ex_len = 16;
                ^        ~~
1 warning generated.
siemens-s7_fmt_plug.c:141:2: warning: Value stored to 'p' is never read
        p = strtokm(ctcopy, "$");
        ^   ~~~~~~~~~~~~~~~~~~~~
1 warning generated.
ssh_fmt_plug.c:146:2: warning: Value stored to 'p' is never read
        p = strtokm(NULL, "*"); // type (optional)
        ^   ~~~~~~~~~~~~~~~~~~
ssh_fmt_plug.c:339:3: warning: Function call argument is an uninitialized value
                memcpy(psalt->data, data, len);
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.
twofish_plug.c:1423:5: warning: Value stored to 'A' is never read
    A=B=0;
    ^ ~~~
twofish_plug.c:1527:5: warning: Value stored to 'b' is never read
    b = bx = bxx = 0;
    ^   ~~~~~~~~~~~~
2 warnings generated.
vtp_fmt_plug.c:113:2: warning: Value stored to 'p' is never read
        p = ciphertext;
        ^   ~~~~~~~~~~
1 warning generated.
zip_fmt_plug.c:245:27: warning: Value stored to 'sFailStr' is never read
        if (!cp || *cp != '0') { sFailStr = "Out of data, reading count of hashes field"; goto Bail; }
                                 ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:250:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Invalid aes mode (only valid for 1 to 3)"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:259:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Salt invalid or wrong length"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:264:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Validator invalid or wrong length (4 bytes hex)"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:269:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Data length invalid (not hex number)"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:284:4: warning: Value stored to 'sFailStr' is never read
                        sFailStr = "Inline data blob invalid (not hex number), or wrong length"; goto Bail; }
                        ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:290:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Authentication data invalid (not hex number), or not 20 hex characters"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:305:3: warning: Value stored to 'sFailStr' is never read
                sFailStr = "Invalid trailing zip2 signature"; goto Bail; }
                ^          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
zip_fmt_plug.c:390:3: warning: Value stored to 'p' is never read
                p = pkz_GetFld(p, &Ob);
                ^   ~~~~~~~~~~~~~~~~~~
9 warnings generated.
bench.c:432:22: warning: Assigned value is garbage or undefined
                current->plaintext = TmpPW[i++];
                                   ^ ~~~~~~~~~~
1 warning generated.
idle.c:127:36: warning: Division by zero
                calls_per_tick = calls_since_adj / (current - last_adj);
                                 ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
mask.c:1977:4: warning: Null pointer passed as an argument to a 'nonnull' parameter
                        memcpy(template_key + template_key_offsets[i++], key,
                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
recovery.c:121:3: warning: Value stored to 'blockmode' is never read
                blockmode = F_SETLKW;
                ^           ~~~~~~~~
1 warning generated.
status.c:268:25: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                        strncat(s_ETA, " (", sizeof(s_ETA) - 1);
                                             ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:270:4: warning: Size argument is greater than the free space in the destination buffer
                        strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:33: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
status.c:270:24: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                        strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
                                            ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:271:24: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                        strncat(s_ETA, ")", sizeof(s_ETA) - 1);
                                            ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:288:13: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                                        sizeof(s_ETA) - 1);
                                        ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:293:29: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                strncat(s_ETA, " (ETA: ", sizeof(s_ETA) - 1);
                                          ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:298:3: warning: Size argument is greater than the free space in the destination buffer
                strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:33: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
status.c:298:23: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
                                    ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
status.c:299:23: warning: Potential buffer overflow. Replace with 'sizeof(s_ETA) - strlen(s_ETA) - 1' or use a safer 'strlcat' API
                strncat(s_ETA, ")", sizeof(s_ETA) - 1);
                                    ^~~~~~~~~~~~~~~~~
/usr/include/bits/string2.h:784:63: note: expanded from macro 'strncat'
#  define strncat(dest, src, n) __builtin_strncat (dest, src, n)
                                                              ^
9 warnings generated.
listconf.c:420:7: warning: Null pointer passed as an argument to a 'nonnull' parameter
        if (!strcasecmp(options.listconf, "inc-modes"))
             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
fake_salts.c:124:2: warning: Value stored to 'pPrep' is never read
        pPrep += sprintf(Prep, "%s%s$%s", DynaType, cp, FirstSalt);
        ^        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
unicode.c:748:9: warning: Branch condition evaluates to a garbage value
        while (*source) {
               ^~~~~~~
1 warning generated.
pp.c:459:5: warning: Null pointer passed as an argument to a 'nonnull' parameter
    memset (&db_entry->elems_buf[elems_alloc], 0, ALLOC_NEW_ELEMS * sizeof (elem_t));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pp.c:486:5: warning: Null pointer passed as an argument to a 'nonnull' parameter
    memset (&db_entry->chains_buf[chains_alloc], 0, ALLOC_NEW_CHAINS * sizeof (chain_t));
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pp.c:1323:5: warning: Value stored to 'prerule' is never read
    prerule = rpp_next(&ctx);
    ^         ~~~~~~~~~~~~~~
3 warnings generated.
unique.c:204:14: warning: Branch condition evaluates to a garbage value
                        if (LM && *LM_Buf)
                                  ^~~~~~~
unique.c:220:13: warning: Branch condition evaluates to a garbage value
                if (LM && *LM_Buf) {
                          ^~~~~~~
2 warnings generated.
gpg2john.c:361:4: warning: Value stored to 'gecos_remains' is never read
                        gecos_remains += strlen(login);
                        ^                ~~~~~~~~~~~~~
gpg2john.c:2134:2: warning: Value stored to 'days' is never read
        days += Getc();
        ^       ~~~~~~
gpg2john.c:2340:2: warning: Value stored to 'gecos_remains' is never read
        gecos_remains += strlen(login);
        ^                ~~~~~~~~~~~~~
gpg2john.c:2358:3: warning: Value stored to 'used' is never read
                used += len;
                ^       ~~~
4 warnings generated.
/usr/bin/ar: creating aes.a
wpapcap2john.c:695:2: warning: Value stored to 'cp' is never read
        cp += sprintf(cp, ":password %sverified:%s", (one_three == 1) ? "not " : "", filename);
        ^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
unicode.c:748:9: warning: Branch condition evaluates to a garbage value
        while (*source) {
               ^~~~~~~
1 warning generated.
SIPdump.c:262:6: warning: Function call argument is an uninitialized value
        if (pcap_compile(handle, &fp, filter, 0, net) == -1) {
            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SIPdump.c:683:2: warning: Potential leak of memory pointed to by 'lines'
        free(lines[num_lines - 1]);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~
2 warnings generated.

Make process completed.
scan-build: 122 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2015-04-17-153339-21057-1' to examine bug reports.

Instead of calling scan-view, viewing file:///tmp/scan-build-2015-04-17-153339-21057-1/index.html in your preferred browser works as well.

frank-dittrich commented 9 years ago

These are the scan-build error messages I get for master:

$ LC_ALL=C scan-build-3.5 make -s linux-x86-64-avx
scan-build: Using '/usr/lib/llvm-3.5/bin/clang' for static analysis
DES_std.c: In function 'DES_std_set_key':
DES_std.c:635:17: warning: array subscript is above array bounds [-Warray-bounds]
   while (DES_key[i++]) k += 2;
                 ^
AFS_fmt.c:371:31: warning: The right operand of '^' is a garbage value
                        DES_IV[0] = binary.data[0] ^ *ptr_binary++;
                                                   ^ ~~~~~~~~~~~~~
1 warning generated.
idle.c:110:36: warning: Division by zero
                calls_per_tick = calls_since_adj / (current - last_adj);
                                 ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
1 warning generated.
memory.c:75:2: warning: Potential leak of memory pointed to by 'p'
        return p;
        ^~~~~~~~
1 warning generated.
scan-build: 3 bugs found.
scan-build: Run 'scan-view /tmp/scan-build-2015-04-17-153544-26322-1' to examine bug reports.
frank-dittrich commented 9 years ago

This is (minus the colours for syntax highlighting etc.) what an individual report looks like (here the division by zero report):

void idle_yield(void)
87  {
88  #ifdef _POSIX_PRIORITY_SCHEDULING
89      static unsigned int calls_to_skip = 0;
90      static unsigned int calls_per_tick = 0;
91      static unsigned int calls_since_tick = 0;
92      static unsigned int calls_since_adj = 0;
93      static int calls_per_tick_known = 0;
94      static clock_t last_adj = 0;
95      clock_t last_check;
96      clock_t current;
97      int yield_calls;
98      struct tms buf;
99   
100     if (!use_yield) return;

1
    Assuming 'use_yield' is not equal to 0  
→

2

←
    Taking false branch 
→
101  
102     if (++calls_since_tick < calls_to_skip) return;

3

←
    Taking false branch 
→
103     calls_since_adj += calls_since_tick;
104     calls_since_tick = 0;
105  
106     current = times(&buf);
107     if (!last_adj) last_adj = current;

4

←
    Taking true branch  
→
108  
109     if (current - last_adj >= clk_tck) {

5

←
    Taking true branch  
→
110         calls_per_tick = calls_since_adj / (current - last_adj);

6

←
    Division by zero
111         calls_since_adj = 0;
112         calls_per_tick_known = 2;
113         last_adj = current;
frank-dittrich commented 9 years ago

Some of the error messages are false positives.

475     if (db_entry->chains_buf == NULL)

2

←
    Taking true branch  
→
476     {
477       fprintf (stderr, "Out of memory trying to allocate %zu bytes\n", (size_t) chains_alloc_new * sizeof (chain_t));
478  
479 #ifndef JTR_MODE
480       exit (-1);
481 #else
482       error();
483 #endif
484     }
485  
486     memset (&db_entry->chains_buf[chains_alloc], 0, ALLOC_NEW_CHAINS * sizeof (chain_t));

3

←
    Null pointer passed as an argument to a 'nonnull' parameter
487

scan-build didn't notice that the memset can never be reached with a NULL pointer.

Apparently a NEW bug from 2012: https://llvm.org/bugs/show_bug.cgi?id=12685 static-analyzer fails to see exit() in function w/ varargs resulting in a false positive

frank-dittrich commented 9 years ago

Adding __attribute__((__noreturn__)) to a few selected function definitions should help to avoid these false positives: http://clang-analyzer.llvm.org/annotations.html#attr_noreturn

I'll test with the following patch:

diff --git a/src/misc.h b/src/misc.h
index e5653ee..e95fd5c 100644
--- a/src/misc.h
+++ b/src/misc.h
@@ -46,7 +46,13 @@
  * Exit on error. Logs the event, closes john.pot and the log file, and
  * terminates the process with non-zero exit status.
  */
-extern void real_error(char *file, int line);
+extern void real_error(char *file, int line)
+#ifdef __GNUC__
+   __attribute__((__noreturn__));
+#else
+   ;
+#endif
+   ;
 #define error(...) real_error(__FILE__, __LINE__)

 /*
@@ -54,6 +60,7 @@ extern void real_error(char *file, int line);
  */
 extern void real_pexit(char *file, int line, char *format, ...)
 #ifdef __GNUC__
+   __attribute__((__noreturn__))
    __attribute__ ((format (printf, 3, 4)));
 #else
    ;
frank-dittrich commented 9 years ago

commit 05754f018aa785a2f646861be38556ec7cd3ad65 got rid of 3 false positives, reducing the number of warnings from 122 to 119.

These are the 4 warnings that disappeared:

< dynamic_fmt.c:7908:10: warning: Dereference of null pointer
<         valid = pFmtLocal->methods.valid(ciphertext, pFmtLocal);
<                 ^~~~~~~~~~~~~~~~~~~~~~~~

< pfx_fmt_plug.c:205:2: warning: Null pointer passed as an argument to a 'nonnull' parameter
<         memcpy(&(psalt->pfx), p12, sizeof(PKCS12));
<         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

< pp.c:459:5: warning: Null pointer passed as an argument to a 'nonnull' parameter
<     memset (&db_entry->elems_buf[elems_alloc], 0, ALLOC_NEW_ELEMS * sizeof (elem_t));
<     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
< pp.c:486:5: warning: Null pointer passed as an argument to a 'nonnull' parameter
<     memset (&db_entry->chains_buf[chains_alloc], 0, ALLOC_NEW_CHAINS * sizeof (chain_t));
<     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

And this is the new warning:

> c3_fmt.c:126:9: warning: Value stored to 'salt' during its initialization is never read
>                 char *salt = tests[0].ciphertext;
>                       ^~~~   ~~~~~~~~~~~~~~~~~~~
frank-dittrich commented 9 years ago

The 2 bugs "Uninitialized argument value" are false positives.

But I was able to trigger an asan error for one of the 2 bugs "Out-of-bound array access":

git diff
diff --git a/run/john.conf b/run/john.conf
index 6b7e3ff..5002906 100644
--- a/run/john.conf
+++ b/run/john.conf
@@ -68,8 +68,8 @@ DefaultIncrementalLM = LM_ASCII
 # %d/%m/%y %H:%M   (day/mon/year hour:min)
 # %m/%d/%y %H:%M   (mon/day/year hour:min)
 # %Y-%m-%d %H:%M   (ISO 8601 style, 2011-05-06 18:10)
-TimeFormat = %Y-%m-%d %H:%M
-TimeFormat24 = %H:%M:%S
+TimeFormat = %Y-%m-%d %H:%M____________________________________________________________12345678901234567890123456789012345678901234567890123456789012345678901234567890
+TimeFormat24 = %H:%M:%S________________________________________________________________12345678901234567890123456789012345678901234567890123456789012345678901234567890

 # For single mode, load the full GECOS field (before splitting) as one
 # additional candidate. Normal behavior is to only load individual words
$ ./john hashes.sapb --wordlist
Loaded 10 password hashes with 10 different salts (sapb, SAP CODVN B (BCODE) [MD5 128/128 AVX 4x3])
Remaining 9 password hashes with 9 different salts
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
=================================================================
==11465== ERROR: AddressSanitizer: unknown-crash on address 0x000001384562 at pc 0x7fc74dad8645 bp 0x7ffd8fe13c20 sp 0x7ffd8fe133c8
WRITE of size 128 at 0x000001384562 thread T0
    #0 0x7fc74dad8644 (/usr/lib64/libasan.so.0.0.0+0xf644)
    #1 0x77e493 (/home/fd/git/JtR/run/john+0x77e493)
    #2 0x77f748 (/home/fd/git/JtR/run/john+0x77f748)
    #3 0x77fcea (/home/fd/git/JtR/run/john+0x77fcea)
    #4 0x74ccaf (/home/fd/git/JtR/run/john+0x74ccaf)
    #5 0x74d795 (/home/fd/git/JtR/run/john+0x74d795)
    #6 0x342fa21d64 (/usr/lib64/libc-2.18.so+0x21d64)
    #7 0x406534 (/home/fd/git/JtR/run/john+0x406534)
0x0000013845e0 is located 0 bytes to the right of global variable 's_ETA (status.c)' (0x1384560) of size 128
  's_ETA (status.c)' is ascii string ' ('
Shadow bytes around the buggy address:
  0x000080268850: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080268860: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x000080268870: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080268880: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
  0x000080268890: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9
=>0x0000802688a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9[00]00 00 00
  0x0000802688b0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000802688c0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0000802688d0: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000802688e0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0000802688f0: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==11465== ABORTING
$ ./asan_symbolize.py 
    #0 0x7fc74dad8644 (/usr/lib64/libasan.so.0.0.0+0xf644)
    #1 0x77e493 (/home/fd/git/JtR/run/john+0x77e493)
    #2 0x77f748 (/home/fd/git/JtR/run/john+0x77f748)
    #3 0x77fcea (/home/fd/git/JtR/run/john+0x77fcea)
    #4 0x74ccaf (/home/fd/git/JtR/run/john+0x74ccaf)
    #5 0x74d795 (/home/fd/git/JtR/run/john+0x74d795)
    #6 0x342fa21d64 (/usr/lib64/libc-2.18.so+0x21d64)
    #7 0x406534 (/home/fd/git/JtR/run/john+0x406534)
llvm-symbolizer: for the -functions option: 'short' is invalid value for boolean argument! Try 0 or 1
    #0 0x7fc74dad8644 in __interceptor_strncat _asan_rtl_
    #1 0x77e493 in status_get_ETA /home/fd/git/JtR/src/status.c:270
    #2 0x77f748 in status_print_cracking /home/fd/git/JtR/src/status.c:358
    #3 0x77fcea in status_print /home/fd/git/JtR/src/status.c:482
    #4 0x74ccaf in john_run /home/fd/git/JtR/src/john.c:1428
    #5 0x74d795 in main /home/fd/git/JtR/src/john.c:1695
    #6 0x342fa21d64 in ?? ??:0
    #7 0x406534 in _start ??:?

From man strncat:

The strncat() function is similar (to strcat), except that * it will use at most n bytes from src

Here, from src means, it will happily write over the end of the destination buffer.

BTW: good luck finding this one with fuzzing.

Similar problems:

jumbo.c:123:    strncat(ret, src, sizeof(ret) - 1);
opencl_pbkdf2_hmac_sha512_fmt_plug.c:301:       strncat(out, &split_fields[1][i], sizeof(out) - 1);
status.c:268:                   strncat(s_ETA, " (", sizeof(s_ETA) - 1);
status.c:270:                   strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
status.c:271:                   strncat(s_ETA, ")", sizeof(s_ETA) - 1);
status.c:293:           strncat(s_ETA, " (ETA: ", sizeof(s_ETA) - 1);
status.c:298:           strncat(s_ETA, ETA, sizeof(s_ETA) - 1);
status.c:299:           strncat(s_ETA, ")", sizeof(s_ETA) - 1);
frank-dittrich commented 9 years ago

All these strncat errors are also reported in the "Anti-pattern in the argument" bug category. Here, the report also suggests a fix:

123     strncat(ret, src, sizeof(ret) - 1);

Potential buffer overflow. Replace with 'sizeof(ret) - strlen(ret) - 1' or use a safer 'strlcat' API
magnumripper commented 9 years ago

So we should replace all those strncat with strlcat and add a strlcat to jumbo.c for systems that doesn't have it.

frank-dittrich commented 9 years ago

Yes, I think that is the best way.

magnumripper commented 8 years ago

This issue is too old to be relevant. Any new run -> new issue(s).