Bug 538 - Static Analyzer Check
Static Analyzer Check
Status: NEW
Product: NSD
Classification: Unclassified
Component: NSD Code
other
Other All
: P5 enhancement
Assigned To: NSD team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-13 05:38 CET by Devil
Modified: 2013-11-13 08:57 CET (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Devil 2013-11-13 05:38:16 CET
./axfr.c:175: High: fixed size local buffer
./compat/fake-rfc2553.c:51: High: fixed size local buffer
./compat/inet_ntop.c:86: High: fixed size local buffer
./compat/inet_ntop.c:114: High: fixed size local buffer
./compat/snprintf.c:299: High: fixed size local buffer
./compat/snprintf.c:314: High: fixed size local buffer
./compat/snprintf.c:329: High: fixed size local buffer
./compat/snprintf.c:344: High: fixed size local buffer
./compat/snprintf.c:358: High: fixed size local buffer
./compat/snprintf.c:372: High: fixed size local buffer
./compat/snprintf.c:386: High: fixed size local buffer
./compat/snprintf.c:400: High: fixed size local buffer
./compat/snprintf.c:414: High: fixed size local buffer
./compat/snprintf.c:428: High: fixed size local buffer
./compat/snprintf.c:512: High: fixed size local buffer
./compat/snprintf.c:557: High: fixed size local buffer
./dbcreate.c:224: High: fixed size local buffer
./dbcreate.c:267: High: fixed size local buffer
./dbcreate.c:339: High: fixed size local buffer
./dbcreate.c:340: High: fixed size local buffer
./difffile.c:1198: High: fixed size local buffer
./difffile.c:1199: High: fixed size local buffer
./difffile.c:1200: High: fixed size local buffer
./dname.c:384: High: fixed size local buffer
./dname.c:500: High: fixed size local buffer
./dname.c:522: High: fixed size local buffer
./dns.c:477: High: fixed size local buffer
./dns.c:527: High: fixed size local buffer
./nsd-checkconf.c:194: High: fixed size local buffer
./nsd-checkconf.c:205: High: fixed size local buffer
./nsd-control.c:264: High: fixed size local buffer
./nsd-control.c:269: High: fixed size local buffer
./nsd-control.c:366: High: fixed size local buffer
./nsd-mem.c:116: High: fixed size local buffer
./nsd-mem.c:236: High: fixed size local buffer
./nsd-mem.c:237: High: fixed size local buffer
./nsd.c:179: High: fixed size local buffer
./nsd.c:216: High: fixed size local buffer
./nsd.c:334: High: fixed size local buffer
./nsd.c:409: High: fixed size local buffer
./nsec3.c:102: High: fixed size local buffer
./options.c:150: High: fixed size local buffer
./options.c:239: High: fixed size local buffer
./options.c:319: High: fixed size local buffer
./options.c:567: High: fixed size local buffer
./options.c:658: High: fixed size local buffer
./options.c:1506: High: fixed size local buffer
./options.c:1548: High: fixed size local buffer
./query.c:365: High: fixed size local buffer
./query.c:377: High: fixed size local buffer
./query.c:470: High: fixed size local buffer
./query.c:480: High: fixed size local buffer
./rdata.c:203: High: fixed size local buffer
./rdata.c:216: High: fixed size local buffer
./rdata.c:323: High: fixed size local buffer
./rdata.c:438: High: fixed size local buffer
./region-allocator.c:481: High: fixed size local buffer
./remote.c:193: High: fixed size local buffer
./remote.c:401: High: fixed size local buffer
./remote.c:551: High: fixed size local buffer
./remote.c:651: High: fixed size local buffer
./remote.c:1614: High: fixed size local buffer
./remote.c:1615: High: fixed size local buffer
./remote.c:1616: High: fixed size local buffer
./rrl.c:147: High: fixed size local buffer
./rrl.c:158: High: fixed size local buffer
./rrl.c:170: High: fixed size local buffer
./rrl.c:329: High: fixed size local buffer
./rrl.c:365: High: fixed size local buffer
./server.c:768: High: fixed size local buffer
./server.c:2029: High: fixed size local buffer
./server.c:2094: High: fixed size local buffer
./tpkg/cutest/cutest.c:82: High: fixed size local buffer
./tpkg/cutest/cutest.c:91: High: fixed size local buffer
./tpkg/cutest/cutest.c:154: High: fixed size local buffer
./tpkg/cutest/cutest.c:212: High: fixed size local buffer
./tpkg/cutest/cutest.c:221: High: fixed size local buffer
./tpkg/cutest/cutest.c:230: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:33: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:34: High: fixed size local buffer
./tpkg/cutest/cutest_iterated_hash.c:36: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:265: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:356: High: fixed size local buffer
./tpkg/cutest/cutest_options.c:396: High: fixed size local buffer
./tpkg/cutest/cutest_rbtree.c:138: High: fixed size local buffer
./tpkg/cutest/cutest_rbtree.c:139: High: fixed size local buffer
./tpkg/cutest/cutest_run.c:93: High: fixed size local buffer
./tpkg/cutest/cutest_udb.c:38: High: fixed size local buffer
./tpkg/cutest/cutest_util.c:129: High: fixed size local buffer
./tpkg/cutest/cutest_util.c:150: High: fixed size local buffer
./tpkg/cutest/qtest.c:110: High: fixed size local buffer
./tpkg/cutest/qtest.c:197: High: fixed size local buffer
./tpkg/cutest/qtest.c:198: High: fixed size local buffer
./tpkg/cutest/qtest.c:241: High: fixed size local buffer
./tsig.c:204: High: fixed size local buffer
./tsig.c:340: High: fixed size local buffer
./tsig.c:341: High: fixed size local buffer
./udbzone.c:314: High: fixed size local buffer
./util.c:174: High: fixed size local buffer
./util.c:548: High: fixed size local buffer
./xfrd-disk.c:29: High: fixed size local buffer
./xfrd-disk.c:477: High: fixed size local buffer
./xfrd-disk.c:495: High: fixed size local buffer
./xfrd-disk.c:509: High: fixed size local buffer
./xfrd-disk.c:517: High: fixed size local buffer
./xfrd-disk.c:537: High: fixed size local buffer
./xfrd.c:1837: High: fixed size local buffer
./zonec.c:392: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that are allocated
on the stack are used safely.  They are prime targets for buffer overflow
attacks.

./compat/fake-rfc2553.c:67: High: gethostbyaddr
DNS results can easily be forged by an attacker (or
arbitrarily set to large values, etc), and should not be trusted.

./compat/fake-rfc2553.c:201: High: gethostbyname
DNS results can easily be forged by an attacker (or
arbitrarily set to large values, etc), and should not be trusted.

./contrib/bind2nsd/bind2nsd/NsdConf.py:442: High: system
Argument 1 to this function call should be checked to ensure that it does not
come from an untrusted source without first verifying that it contains nothing
dangerous.

./nsd-checkconf.c:625: High: getopt
./nsd-control.c:379: High: getopt
./nsd-mem.c:291: High: getopt
./nsd.c:458: High: getopt
./tpkg/cutest/cutest_run.c:118: High: getopt
./tpkg/cutest/udb-inspect.c:648: High: getopt
Truncate all input strings to a reasonable length
before passing them to this function

./nsd.c:64: High: fprintf
./nsd.c:78: High: fprintf
./options.c:425: High: fprintf
./options.c:580: High: fprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.

./options.c:669: High: vfprintf
Check to be sure that the non-constant format string passed as argument 2 to
this function call does not come from an untrusted source that could have added
formatting characters that the code is not prepared to handle.

./util.c:151: High: syslog
Truncate all input strings to a reasonable length
before passing them to this function

./xfrd-disk.c:32: High: fscanf
Check to be sure that the format string passed as argument 2 to this function
call does not come from an untrusted source that could have added formatting
characters that the code is not prepared to handle.  Additionally, the format
string could contain `%s' without precision that could result in a buffer
overflow.

./rrl.c:452: Medium: random
./server.c:654: Medium: random
./tpkg/cutest/cutest_radtree.c:223: Medium: random
./tpkg/cutest/cutest_radtree.c:664: Medium: random
./tpkg/cutest/cutest_radtree.c:695: Medium: random
./tpkg/cutest/cutest_udb.c:75: Medium: random
./tpkg/cutest/cutest_udb.c:296: Medium: random
./tpkg/cutest/cutest_udb.c:302: Medium: random
./tpkg/cutest/cutest_udb.c:314: Medium: random
./tpkg/cutest/cutest_udbrad.c:289: Medium: random
./tpkg/cutest/cutest_udbrad.c:671: Medium: random
./tpkg/cutest/cutest_util.c:136: Medium: random
./util.c:860: Medium: random
./util.c:872: Medium: random
./xfrd.c:665: Medium: random
./xfrd.c:984: Medium: random
./xfrd.c:183: Medium: srandom
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest.c:61: Medium: realloc
./util.c:254: Medium: realloc
Don't use on memory intended to be secure, because the old structure will not be zeroed out.

./tpkg/cutest/cutest_rbtree.c:432: Medium: srand
./tpkg/cutest/cutest_rbtree.c:448: Medium: srand
./tpkg/cutest/cutest_rbtree.c:470: Medium: srand
./tpkg/cutest/cutest_rbtree.c:637: Medium: srand
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest_region.c:72: Medium: drand48
./tpkg/cutest/cutest_region.c:294: Medium: drand48
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.

./tpkg/cutest/cutest_region.c:288: Medium: srand48
Standard random number generators should not be used to
generate randomness used for security reasons.  For security sensitive
randomness a crytographic randomness generator that provides sufficient
entropy should be used.
Comment 1 Matthijs Mekking 2013-11-13 08:55:02 CET
Hi, 

Thank you for running this check on NSD4! Could you tell us which version of NSD4 you run this analyzer on? 

About the reports:

* fixed size local buffer: As far as I can see, all these buffers have careful length checks.

* gethostbyaddr and gethostbyname: Yes, but not sure how to fix that without having a DNSSEC API.

* system: Yes, zonefile here may be dangerous. But this is not vulnerable for a remote attack.

* getopt, syslog: What is a reasonable length?

* fprintf: All constant strings.

* fscanf: %s has precision.

* random and srandom: These are only used if arc4random is not available.

* realloc: xrealloc is used only once in the code, with the intention that the old data is not zeroed out.
Comment 2 Devil 2013-11-13 08:57:24 CET
trunk version used

svn checkout http://www.nlnetlabs.nl/svn/nsd/trunk/ nsd4