Changeset 927d0c70c763dcf56e6f12ebe02a51688468a5c3

Timestamp:

06/08/09 21:12:46 (3 years ago)

Author:

Neutron Soutmun <neo.neutron@…>

Children:

bae014d9f22e13f6115d53d154e6489f20ae00e4

Parents:

5987af1b79b0c1fbd4aa9d30a53ec6879853ece3

git-committer:

Neutron Soutmun <neo.neutron@…> (06/08/09 21:12:46)

Message:

Follow the flawfinder guideline

• Reduce the vulnerability code by follow the advice of flawfinder.
• Just finish one of the TODO lists.

Files:

• TODO (modified) (1 diff)
• src/rahunasd.c (modified) (1 diff)
• src/rh-config.c (modified) (3 diffs)
• src/rh-ipset.c (modified) (5 diffs)
• src/rh-task-bandwidth.c (modified) (2 diffs)
• src/rh-task-dbset.c (modified) (3 diffs)
• src/rh-task-memset.c (modified) (1 diff)

TODO

@@ -1 +1 @@
 - new version of ipset released, need test (work ?)
 - write the readme. (may Suriya ?)
-- using flawfinder to guideline the code vulnerability.

src/rahunasd.c

@@ -366 +366 @@
   }
 
-  sprintf(version, "Starting %s - Version %s", PROGRAM, RAHUNAS_VERSION);
+  snprintf(version, sizeof (version), "Starting %s - Version %s", PROGRAM, 
+           RAHUNAS_VERSION);
   logmsg(RH_LOG_NORMAL, version);
 

src/rh-config.c

@@ -370 +370 @@
     {
       iface = (struct interfaces *)runner->data;
-      if (strncmp(iface->dev_internal, inf_name, strlen(inf_name)) == 0)
+      if (iface->dev_internal &&
+          strncmp(iface->dev_internal, inf_name, strlen(inf_name)) == 0)
         {
           // Already in the list
@@ -388 +389 @@
     }
 
-  strncpy(item->dev_internal, inf_name, 32);
-  sprintf(item->dev_ifb, "ifb%d", ifb_ifno);
+  strncpy(item->dev_internal, inf_name, sizeof (item->dev_internal));
+  snprintf(item->dev_ifb, sizeof (item->dev_ifb), "ifb%d", ifb_ifno);
   item->init = 0;
   item->hit  = 1;
@@ -411 +412 @@
     {
       iface = (struct interfaces *)runner->data;
-      if (strncmp (iface->dev_internal, inf_name, strlen (inf_name)) == 0)
+      if (iface->dev_internal &&
+          strncmp (iface->dev_internal, inf_name, strlen (inf_name)) == 0)
         {
           iface->hit--;

src/rh-ipset.c

@@ -122 +122 @@
   req_adt_get.op = IP_SET_OP_ADT_GET;
   req_adt_get.version = IP_SET_PROTOCOL_VERSION;
-  strcpy(req_adt_get.set.name, name);
+  strncpy(req_adt_get.set.name, name, IP_SET_MAXNAMELEN);
   size = sizeof(struct ip_set_req_adt_get);
 
@@ -150 +150 @@
 {
   unsigned int i = 0;
+  if (!mac)
+    return;
+
   if (strlen(mac) != ETH_ALEN * 3 - 1)
     return;
@@ -181 +184 @@
   static char mac_string[18] = "";
  
-  sprintf(mac_string, "%02X:%02X:%02X:%02X:%02X:%02X", 
+  snprintf(mac_string, sizeof (mac_string), "%02X:%02X:%02X:%02X:%02X:%02X", 
           macaddress[0], macaddress[1], macaddress[2],
           macaddress[3], macaddress[4], macaddress[5]);
@@ -261 +264 @@
   req.op = IP_SET_OP_FLUSH;
   req.version = IP_SET_PROTOCOL_VERSION;
-  strcpy(req.name, name);
+  strncpy(req.name, name, IP_SET_MAXNAMELEN);
 
   kernel_sendto(&req, sizeof(struct ip_set_req_std));
@@ -288 +291 @@
   req_max_sets.op = IP_SET_OP_MAX_SETS;
   req_max_sets.version = IP_SET_PROTOCOL_VERSION;
-  strcpy(req_max_sets.set.name, name);
+  strncpy(req_max_sets.set.name, name, IP_SET_MAXNAMELEN);
   size = sizeof(req_max_sets);
   kernel_getfrom(&req_max_sets, &size);

src/rh-task-bandwidth.c

@@ -282 +282 @@
   
   // Formating the bandwidth request
-  sprintf(bw_req.ip, "%s", idtoip(vs->v_map, req->id));
-  sprintf(bw_req.bandwidth_max_down, "%lu", 
-    member->bandwidth_max_down);
-  sprintf(bw_req.bandwidth_max_up, "%lu", 
-    member->bandwidth_max_up);
+  snprintf(bw_req.ip, sizeof (bw_req.ip), "%s", idtoip(vs->v_map, req->id));
+  snprintf(bw_req.bandwidth_max_down, sizeof (bw_req.bandwidth_max_down), 
+           "%lu", member->bandwidth_max_down);
+  snprintf(bw_req.bandwidth_max_up, sizeof (bw_req.bandwidth_max_up), "%lu", 
+           member->bandwidth_max_up);
   
   while (max_try > 0) { 
     slot_id = _get_slot_id();
-    sprintf(bw_req.slot_id, "%d", slot_id);
+    snprintf(bw_req.slot_id, sizeof (bw_req.slot_id), "%d", slot_id);
     if (bandwidth_add(vs, &bw_req) == 0)
       break;
@@ -328 +328 @@
     return 0;
 
-  sprintf(bw_req.slot_id, "%d", slot_id);
+  snprintf(bw_req.slot_id, sizeof (bw_req.slot_id), "%d", slot_id);
 
   if (bandwidth_del(vs, &bw_req) == 0) {

src/rh-task-dbset.c

@@ -294 +294 @@
                  GDA_CONNECTION_OPTIONS_READ_ONLY, NULL);
 
-  sprintf(select_cmd, "SELECT * FROM dbset WHERE vserver_id='%d'",
-          vs->vserver_config->vserver_id);
+  snprintf(select_cmd, sizeof (select_cmd), 
+           "SELECT * FROM dbset WHERE vserver_id='%d'",
+           vs->vserver_config->vserver_id);
 
   DP("SQL: %s", select_cmd);
@@ -343 +344 @@
   member = (struct rahunas_member *) member_node->data;
 
-  sprintf(startsess_cmd, "INSERT INTO dbset"
+  snprintf(startsess_cmd, sizeof (startsess_cmd), "INSERT INTO dbset"
          "(session_id,vserver_id,username,ip,mac,session_start,"
          "session_timeout,bandwidth_slot_id,bandwidth_max_down,"
@@ -394 +395 @@
   DP("SessionID : %s", member->session_id);
 
-  sprintf(stopsess_cmd, "DELETE FROM dbset WHERE "
+  snprintf(stopsess_cmd, sizeof (stopsess_cmd), "DELETE FROM dbset WHERE "
          "session_id='%s' AND username='%s' AND vserver_id='%d'",
          member->session_id, 

src/rh-task-memset.c

@@ -200 +200 @@
   switch (req->req_opt) {
     case RH_RADIUS_TERM_IDLE_TIMEOUT :
-      strcpy(cause, "idle timeout");
+      strncpy(cause, "idle timeout", sizeof (cause));
       break;
     case RH_RADIUS_TERM_SESSION_TIMEOUT :
-      strcpy(cause, "session timeout");
+      strncpy(cause, "session timeout", sizeof (cause));
       break;
     case RH_RADIUS_TERM_USER_REQUEST :
-      strcpy(cause, "user request");
+      strncpy(cause, "user request", sizeof (cause));
       break;
     case RH_RADIUS_TERM_NAS_REBOOT :
-      strcpy(cause, "nas reboot");
+      strncpy(cause, "nas reboot", sizeof (cause));
       break;
     case RH_RADIUS_TERM_ADMIN_RESET :
-      strcpy(cause, "admin reset");
+      strncpy(cause, "admin reset", sizeof (cause));
       break;
   }