Bug 538

Summary: Static Analyzer Check
Product: NSD Reporter: Devil <devzone.my>
Component: NSD CodeAssignee: NSD team <nsd-team>
Status: NEW ---    
Severity: enhancement CC: matthijs
Priority: P5    
Version: other   
Hardware: Other   
OS: All   

Description Devil 2013-11-13 05:38:16 CET
./axfr.c:175: High: fixed size local buffer
./compat/fake-rfc2553.c:51: High: fixed size local buffer
./compat/inet_ntop.c:86: High: fixed size local buffer
./compat/inet_ntop.c:114: High: fixed size local buffer
./compat/snprintf.c:299: High: fixed size local buffer
./compat/snprintf.c:314: High: fixed size local buffer
./compat/snprintf.c:329: High: fixed size local buffer
./compat/snprintf.c:344: High: fixed size local buffer
./compat/snprintf.c:358: High: fixed size local buffer
./compat/snprintf.c:372: High: fixed size local buffer
./compat/snprintf.c:386: High: fixed size local buffer
./compat/snprintf.c:400: High: fixed size local buffer
./compat/snprintf.c:414: High: fixed size local buffer
./compat/snprintf.c:428: High: fixed size local buffer
./compat/snprintf.c:512: High: fixed size local buffer
./compat/snprintf.c:557: High: fixed size local buffer
./dbcreate.c:224: High: fixed size local buffer
./dbcreate.c:267: High: fixed size local buffer
./dbcreate.c:339: High: fixed size local buffer
./dbcreate.c:340: High: fixed size local buffer
./difffile.c:1198: High: fixed size local buffer
./difffile.c:1199: High: fixed size local buffer
./difffile.c:1200: High: fixed size local buffer
./dname.c:384: High: fixed size local buffer
./dname.c:500: High: fixed size local buffer
./dname.c:522: High: fixed size local buffer
./dns.c:477: High: fixed size local buffer
./dns.c:527: High: fixed size local buffer
./nsd-checkconf.c:194: High: fixed size local buffer
./nsd-checkconf.c:205: High: fixed size local buffer
./nsd-control.c:264: High: fixed size local buffer
./nsd-control.c:269: High: fixed size local buffer
./nsd-control.c:366: High: fixed size local buffer
./nsd-mem.c:116: High: fixed size local buffer
./nsd-mem.c:236: High: fixed size local buffer
./nsd-mem.c:237: High: fixed size local buffer
./nsd.c:179: High: fixed size local buffer
./nsd.c:216: High: fixed size local buffer
./nsd.c:334: High: fixed size local buffer
./nsd.c:409: High: fixed size local buffer
./nsec3.c:102: High: fixed size local buffer
./options.c:150: High: fixed size local buffer
./options.c:239: High: fixed size local buffer
./options.c:319: High: fixed size local buffer
./options.c:567: High: fixed size local buffer
./options.c:658: High: fixed size local buffer
./options.c:1506: High: fixed size local buffer
./options.c:1548: High: fixed size local buffer
./query.c:365: High: fixed size local buffer
./query.c:377: High: fixed size local buffer
./query.c:470: High: fixed size local buffer
./query.c:480: High: fixed size local buffer
./rdata.c:203: High: fixed size local buffer
./rdata.c:216: High: fixed size local buffer
./rdata.c:323: High: fixed size local buffer
./rdata.c:438: High: fixed size local buffer
./region-allocator.c:481: High: fixed size local buffer
./remote.c:193: High: fixed size local buffer
./remote.c:401: High: fixed size local buffer
./remote.c:551: High: fixed size local buffer
./remote.c:651: High: fixed size local buffer
./remote.c:1614: High: fixed size local buffer
./remote.c:1615: High: fixed size local buffer
./remote.c:1616: High: fixed size local buffer
./rrl.c:147: High: fixed size local buffer
./rrl.c:158: High: fixed size local buffer
./rrl.c:170: High: fixed size local buffer
./rrl.c:329: High: fixed size local buffer
./rrl.c:365: High: fixed size local buffer
./server.c:768: High: fixed size local buffer
./server.c:2029: High: fixed size local buffer
./server.c:2094: High: fixed size local buffer
./tpkg/cutest/cutest.c:82: High: fixed size local buffer
./tpkg/cutest/cutest.c:91: High: fixed size local buffer
./tpkg/cutest/cutest.c:154: High: fixed size local buffer
./tpkg/cutest/cutest.c:212: High: fixed size local buffer
./tpkg/cutest/cutest.c:221: High: fixed size local buffer
./tpkg/cutest/cutest.c:230: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:33: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:34: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:36: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:265: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:356: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:396: High: fixed size local buffer
./tpkg/cutest/cutest_rbtree.c:138: High: fixed size local buffer
./tpkg/cutest/cutest_rbtree.c:139: High: fixed size local buffer
./tpkg/cutest/cutest_run.c:93: High: fixed size local buffer
./tpkg/cutest/cutest_udb.c:38: High: fixed size local buffer
./tpkg/cutest/cutest_util.c:129: High: fixed size local buffer
./tpkg/cutest/cutest_util.c:150: High: fixed size local buffer
./tpkg/cutest/qtest.c:110: High: fixed size local buffer
./tpkg/cutest/qtest.c:197: High: fixed size local buffer
./tpkg/cutest/qtest.c:198: High: fixed size local buffer
./tpkg/cutest/qtest.c:241: High: fixed size local buffer
./tsig.c:204: High: fixed size local buffer
./tsig.c:340: High: fixed size local buffer
./tsig.c:341: High: fixed size local buffer
./udbzone.c:314: High: fixed size local buffer
./util.c:174: High: fixed size local buffer
./util.c:548: High: fixed size local buffer
./xfrd-disk.c:29: High: fixed size local buffer
./xfrd-disk.c:477: High: fixed size local buffer
./xfrd-disk.c:495: High: fixed size local buffer
./xfrd-disk.c:509: High: fixed size local buffer
./xfrd-disk.c:517: High: fixed size local buffer
./xfrd-disk.c:537: High: fixed size local buffer
./xfrd.c:1837: High: fixed size local buffer
./zonec.c:392: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely.  They are prime targets for buffer overflow
attacks.

./compat/fake-rfc2553.c:67: High: gethostbyaddr
DNS results can easily be forged by an attacker (or
arbitrarily set to large values, etc), and should not be trusted.

./compat/fake-rfc2553.c:201: High: gethostbyname
DNS results can easily be forged by an attacker (or
arbitrarily set to large values, etc), and should not be trusted.

./contrib/bind2nsd/bind2nsd/NsdConf.py:442: High: system
Argument 1 to this function call should be checked to ensure that it does not
come from an untrusted source without first verifying that it contains nothing
dangerous.

./nsd-checkconf.c:625: High: getopt
./nsd-control.c:379: High: getopt
./nsd-mem.c:291: High: getopt
./nsd.c:458: High: getopt
./tpkg/cutest/cutest_run.c:118: High: getopt
./tpkg/cutest/udb-inspect.c:648: High: getopt
Truncate all input strings to a reasonable length
before passing them to this function

./nsd.c:64: High: fprintf
./nsd.c:78: High: fprintf
./options.c:425: High: fprintf
./options.c:580: High: fprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.

./options.c:669: High: vfprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.

./util.c:151: High: syslog
Truncate all input strings to a reasonable length
before passing them to this function

./xfrd-disk.c:32: High: fscanf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle.  Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.

./rrl.c:452: Medium: random
./server.c:654: Medium: random
./tpkg/cutest/cutest_radtree.c:223: Medium: random
./tpkg/cutest/cutest_radtree.c:664: Medium: random
./tpkg/cutest/cutest_radtree.c:695: Medium: random
./tpkg/cutest/cutest_udb.c:75: Medium: random
./tpkg/cutest/cutest_udb.c:296: Medium: random
./tpkg/cutest/cutest_udb.c:302: Medium: random
./tpkg/cutest/cutest_udb.c:314: Medium: random
./tpkg/cutest/cutest_udbrad.c:289: Medium: random
./tpkg/cutest/cutest_udbrad.c:671: Medium: random
./tpkg/cutest/cutest_util.c:136: Medium: random
./util.c:860: Medium: random
./util.c:872: Medium: random
./xfrd.c:665: Medium: random
./xfrd.c:984: Medium: random
./xfrd.c:183: Medium: srandom
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest.c:61: Medium: realloc
./util.c:254: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.

./tpkg/cutest/cutest_rbtree.c:432: Medium: srand
./tpkg/cutest/cutest_rbtree.c:448: Medium: srand
./tpkg/cutest/cutest_rbtree.c:470: Medium: srand
./tpkg/cutest/cutest_rbtree.c:637: Medium: srand
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest_region.c:72: Medium: drand48
./tpkg/cutest/cutest_region.c:294: Medium: drand48
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest_region.c:288: Medium: srand48
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.
Comment 1 Matthijs Mekking 2013-11-13 08:55:02 CET
Hi, 

Thank you for running this check on NSD4! Could you tell us which version of NSD4 you run this analyzer on? 

About the reports:

* fixed size local buffer: As far as I can see, all these buffers have careful length checks.

* gethostbyaddr and gethostbyname: Yes, but not sure how to fix that without having a DNSSEC API.

* system: Yes, zonefile here may be dangerous. But this is not vulnerable for a remote attack.

* getopt, syslog: What is a reasonable length?

* fprintf: All constant strings.

* fscanf: %s has precision.

* random and srandom: These are only used if arc4random is not available.

* realloc: xrealloc is used only once in the code, with the intention that the old data is not zeroed out.
Comment 2 Devil 2013-11-13 08:57:24 CET
trunk version used

svn checkout http://www.nlnetlabs.nl/svn/nsd/trunk/ nsd4