1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
diff -Nuar rats-2.1.orig/report.c rats-2.1/report.c
--- rats-2.1.orig/report.c 2002-09-16 21:05:43.000000000 -0700
+++ rats-2.1/report.c 2006-05-21 23:16:16.323046789 -0700
@@ -122,9 +122,15 @@
return result;
}
-
-
-
+/* Exclusively for debugging vulnerabilities.
+ * - robbat2@gentoo.org 21/05/2006 */
+static void debug_vuln_dump(vulnerability_t *ptr) {
+ fprintf(stderr,"vuln_dump: this=%x f=%s l=%d c=%d d=%x t=%d s=%d u=%x p=(%x,%x)\n",
+ ptr,
+ ptr->filename,ptr->lineno,ptr->column,
+ ptr->data,ptr->type,ptr->severity,
+ ptr->uses,ptr->next,ptr->prev);
+}
static void
replace_cfname(char *filename)
@@ -317,6 +323,27 @@
insert_vulnerability(log);
}
+/* These are special static vulnerabilities because we don't
+ * want NULL data elements in the vulnerability_t->data
+ * field, because the HTML and XML output formats use that
+ * pointer without checking it for being null first.
+ * - robbat2@gentoo.org 21/05/2006 */
+static struct Vuln_t vuln_PerlBacktick = {
+ .Name = "Perl Backtick"
+};
+static struct Vuln_t vuln_PhpBacktick = {
+ .Name = "PHP Backtick"
+};
+static struct Vuln_t vuln_PythonBacktick = {
+ .Name = "Python Backtick"
+};
+static struct Vuln_t vuln_StaticLocalBuffer = {
+ .Name = "Static Local Buffer"
+};
+static struct Vuln_t vuln_StaticGlobalBuffer = {
+ .Name = "Static Global Buffer"
+};
+
void log_perlbacktick(int lineno, int column, Severity_t severity)
{
vulnerability_t * log;
@@ -325,7 +352,7 @@
log->filename = current_file;
log->column = column;
log->lineno = lineno;
- log->data = (Vuln_t *)NULL;
+ log->data = &vuln_PerlBacktick;
log->type = PerlBacktick;
log->severity = severity;
log->uses = (toctou_use_t *)NULL;
@@ -342,7 +369,7 @@
log->filename = current_file;
log->column = column;
log->lineno = lineno;
- log->data = (Vuln_t *)NULL;
+ log->data = &vuln_PhpBacktick;
log->type = PhpBacktick;
log->severity = severity;
log->uses = (toctou_use_t *)NULL;
@@ -358,7 +385,7 @@
log->filename = current_file;
log->column = column;
log->lineno = lineno;
- log->data = (Vuln_t *)NULL;
+ log->data = &vuln_PythonBacktick;
log->type = PythonBacktick;
log->severity = severity;
log->uses = (toctou_use_t *)NULL;
@@ -374,7 +401,16 @@
log->filename = current_file;
log->column = column;
log->lineno = lineno;
- log->data = (Vuln_t *)NULL;
+ switch(type) {
+ case StaticLocalBuffer:
+ log->data = &vuln_StaticLocalBuffer;
+ break;
+ case StaticGlobalBuffer:
+ log->data = &vuln_StaticGlobalBuffer;
+ break;
+ default:
+ log->data = (Vuln_t *)NULL;
+ }
log->type = type;
log->severity = severity;
log->uses = (toctou_use_t *)NULL;
@@ -432,6 +468,10 @@
static void build_xml_vulnerability(vulnerability_t *ptr) {
int i;
+ /* Debugging - robbat2@gentoo.org 21/05/2006 */
+ if(ptr->data == NULL)
+ debug_vuln_dump(ptr);
+
printf("<vulnerability>\n");
/* Output the severity */
@@ -593,6 +633,8 @@
void report_vulnerability(vulnerability_t *ptr)
{
int i;
+ if(ptr->data == NULL)
+ debug_vuln_dump(ptr);
switch (ptr->type)
{
@@ -890,8 +932,10 @@
static void build_html_vulnerability(vulnerability_t *ptr) {
int i;
-
-
+
+ /* Debugging - robbat2@gentoo.org 21/05/2006 */
+ if(ptr->data == NULL)
+ debug_vuln_dump(ptr);
/* Output the severity */
printf(" <b>Severity: %s</b><br/>\n",
|
GitWeb