Statically Detecting Likely Buffer Overflow Vulnerablitites

10 December 2001

David Larochelle

int acl_getlimit(char *class, char *msgpathbuf)

•{

•struct aclmember *entry = NULL;

•while (getaclentry("limit", &entry)) {

• …

•strcpy(msgpathbuf, entry->arg[3]);

LCLint reports a possible buffer overflow for

strcpy(msgpathbuf, entry->arg[3]);

LCLint reports an error at a call site of acl_getlimit

wu-ftpd vulnerablity

/*@requires maxSet(msgpathbuf) >= 1023 @*/

strncpy(msgpathbuf, entry->arg[3], 1023);

msgpathbuf[1023] = ‘\0’;

strncpy(msgpathbuf, entry->arg[3], 199);

msgpathbuf[199] = ‘\0’;

/*@requires maxSet(msgpathbuf) >= 199 @*/

int access_ok( int msgcode) {

char class[1024], msgfile[200];

int limit;

…

limit = acl_getlimit(class, msgfile);