summaryrefslogtreecommitdiff
blob: 0d4c701f0bfce3960ff80f3929383fa67dac3215 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
diff -Nuar rats-2.1.orig/report.c rats-2.1/report.c
--- rats-2.1.orig/report.c	2002-09-16 21:05:43.000000000 -0700
+++ rats-2.1/report.c	2006-05-21 23:16:16.323046789 -0700
@@ -122,9 +122,15 @@
   return result;
 }
        
-   
-
-  
+/* Exclusively for debugging vulnerabilities.
+ * - robbat2@gentoo.org 21/05/2006 */
+static void debug_vuln_dump(vulnerability_t *ptr) {
+	fprintf(stderr,"vuln_dump: this=%x f=%s l=%d c=%d d=%x t=%d s=%d u=%x p=(%x,%x)\n",				
+			ptr,
+			ptr->filename,ptr->lineno,ptr->column,
+			ptr->data,ptr->type,ptr->severity,
+			ptr->uses,ptr->next,ptr->prev);
+}
   
 static void
 replace_cfname(char *filename)
@@ -317,6 +323,27 @@
     insert_vulnerability(log);
 }
 
+/* These are special static vulnerabilities because we don't
+ * want NULL data elements in the vulnerability_t->data
+ * field, because the HTML and XML output formats use that
+ * pointer without checking it for being null first.
+ * - robbat2@gentoo.org 21/05/2006 */
+static struct Vuln_t vuln_PerlBacktick = {
+	.Name = "Perl Backtick"
+};
+static struct Vuln_t vuln_PhpBacktick = {
+	.Name = "PHP Backtick"
+};
+static struct Vuln_t vuln_PythonBacktick = {
+	.Name = "Python Backtick"
+};
+static struct Vuln_t vuln_StaticLocalBuffer = {
+	.Name = "Static Local Buffer"
+};
+static struct Vuln_t vuln_StaticGlobalBuffer = {
+	.Name = "Static Global Buffer"
+};
+
 void log_perlbacktick(int lineno, int column, Severity_t severity)
 {
     vulnerability_t *   log;
@@ -325,7 +352,7 @@
     log->filename = current_file;
     log->column   = column;
     log->lineno   = lineno;
-    log->data     = (Vuln_t *)NULL;
+    log->data     = &vuln_PerlBacktick;
     log->type     = PerlBacktick;
     log->severity = severity;
     log->uses     = (toctou_use_t *)NULL;
@@ -342,7 +369,7 @@
     log->filename = current_file;
     log->column   = column;
     log->lineno   = lineno;
-    log->data     = (Vuln_t *)NULL;
+    log->data     = &vuln_PhpBacktick;
     log->type     = PhpBacktick;
     log->severity = severity;
     log->uses     = (toctou_use_t *)NULL;
@@ -358,7 +385,7 @@
     log->filename = current_file;
     log->column   = column;
     log->lineno   = lineno;
-    log->data     = (Vuln_t *)NULL;
+    log->data     = &vuln_PythonBacktick;
     log->type     = PythonBacktick;
     log->severity = severity;
     log->uses     = (toctou_use_t *)NULL;
@@ -374,7 +401,16 @@
     log->filename = current_file;
     log->column   = column;
     log->lineno   = lineno;
-    log->data     = (Vuln_t *)NULL;
+	switch(type) {
+		case StaticLocalBuffer: 
+			log->data     = &vuln_StaticLocalBuffer; 
+			break;
+		case StaticGlobalBuffer: 
+			log->data     = &vuln_StaticGlobalBuffer; 
+			break;
+		default:
+			log->data     = (Vuln_t *)NULL;
+	}
     log->type     = type;
     log->severity = severity;
     log->uses     = (toctou_use_t *)NULL;
@@ -432,6 +468,10 @@
 static void build_xml_vulnerability(vulnerability_t *ptr) {
     int i;
     
+	/* Debugging - robbat2@gentoo.org 21/05/2006 */
+	if(ptr->data == NULL) 
+		debug_vuln_dump(ptr);
+    
     printf("<vulnerability>\n");
 
     /* Output the severity */
@@ -593,6 +633,8 @@
 void report_vulnerability(vulnerability_t *ptr)
 {
     int i;
+	if(ptr->data == NULL)
+		debug_vuln_dump(ptr);
 
     switch (ptr->type)
     {
@@ -890,8 +932,10 @@
      
 static void build_html_vulnerability(vulnerability_t *ptr) {
     int i;
-    
-
+ 
+	/* Debugging - robbat2@gentoo.org 21/05/2006 */
+	if(ptr->data == NULL) 
+		debug_vuln_dump(ptr);
     
     /* Output the severity */
     printf("  <b>Severity: %s</b><br/>\n",