For
find.c, it turns out that exploitable vulnerabilities exist at both sprintf() calls, and the
buffer declared at line 172 can be overflowed with a properly formatted input packet.
However, there is no guarantee that all potentially exploitable code will be located by
such tools. For larger programs, the number of false positives increases and the usefulness
of the tool for locating vulnerabilities decreases. It is left to the tenacity of the auditor
to run down all of the potential problems.
Splint is a derivative of the C semantic checker Lint, and as such generates significantly
more information than any of the other tools. Splint will point out many types of programming
problems, such as use of uninitialized variables, type mismatches, potential memory
leaks, use of typically insecure functions, and failure to check function return values.
CAUTION Many programming languages allow the programmer to ignore the
values returned by functions. This is a dangerous practice as function return values
are often used to indicate error conditions. Assuming that all functions complete
successfully is another common programming problem that leads to crashes.
In scanning for security-related problems, the major difference between Splint and
the other free tools is that Splint recognizes specially formatted comments embedded in
the source files that it scans.
Pages:
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508