Thread: flawfinder

    #1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2015
    Posts
    14
    Rep Power
    0

    flawfinder


    Hi all
    i have problem to understand which report is false positive and which is tru positive
    i ran flawfinder and rats. for example in the case:

    char cbuff[255]; =====> flawfinder didn't find vulnerability. but rats found:fixed size local buffer, overflow attack
    .
    .
    .
    wile (fscanf(wfp,"%s",cbuff)==1)==> both founds vulnerability, , overflow attack

    could u please help me which is false positive and which is true positive?
  2. #2
  3. Contributed User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2005
    Posts
    4,465
    Rep Power
    1875
    What do you mean?

    Neither is a false positive, both correctly identify the problem as a true positive.

    Perhaps you should post your actual error messages.

    > flawfinder didn't find vulnerability. but rats found:fixed size local buffer, overflow attack
    It would seem to me that rats is just cross-referencing the 'use' of buffer (calling fscanf) with where the variable is declared.

    Comments on this post

    • Will-O-The-Wisp agrees
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2015
    Posts
    14
    Rep Power
    0
    i have a task, i used these to tools flowfinder and rats on my c program to find vulnerabilities. i have to Identify which alerts reported by the tools are false positives and which are true positives.
    these are two codes that i used and i got report about them. for finding which is false positives and which is true positives i have problem.

    char cbuff[255];

    RATS ====>
    wordharvest.c:130: High: fixed size local buffer,Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks





    wile (fscanf(wfp,"%s",cbuff)==1)

    flowFinder====>
    ./Task3/wordharvest.c:134: [4] (buffer) fscanf:
    The scanf() family's %s operation, without a limit specification, permits
    buffer overflows (CWE-120, CWE-20). Specify a limit to %s, or use a
    different input function.

    RATS====>
    wordharvest.c:134: High: fscanf, Check to be sure that the format string passed as argument 2 to this function
    call does not come from an untrusted source that could have added formatting
    characters that the code is not prepared to handle. Additionally, the format
    string could contain `%s' without precision that could result in a buffer
    overflow.
  6. #4
  7. Contributed User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jun 2005
    Posts
    4,465
    Rep Power
    1875
    So if you change it to
    fscanf(wfp,"%254s",cbuff)
    does everything resolve itself?

    Comments on this post

    • Will-O-The-Wisp agrees
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2015
    Posts
    14
    Rep Power
    0
    wow, great i changed the source code to your mentioned one and i ran flowfinder and this alarm solved!

IMN logo majestic logo threadwatch logo seochat tools logo