static void nslookupComplain(const char *sysloginfo, const char *net_queryname, const char *complaint, const char *net_dname, const struct databuf *a_rr, const struct databuf *nsdp) { char queryname[INSZ+1], dname[INSZ+1]; const char *a, *ns; const char *a_type; int print_a; strncpy(queryname, net_queryname, sizeof queryname); queryname[(sizeof queryname) - 1] = EOS; strncpy(dname, net_dname, sizeof dname); dname[(sizeof dname) - 1] = EOS; if (sysloginfo && queryname && !haveComplained(queryname, complaint)) { char buf[BUFSZ]; a = ns = (char *)NULL; print_a = (a_rr->d_type == T_A); a_type = p_type(a_rr->d_type); if ( a != NULL || ns != NULL) { /* BAD */ r_strcpy (buf, sysloginfo); } else { /* BAD */ r_strcpy (buf, sysloginfo); } } }
char *realpath(char const *pathname , char *result , char *chroot_path ) { char curpath[256] ; char workpath[256] ; char linkpath[256] ; char namebuf[256] ; char *where ; int len ; int tmp ; char *__retres ; {where = curpath; tmp = nondet_int(); if (tmp == 1) {len = readlink((char const *)(namebuf), linkpath, 256); if (len <= 0) {__retres = (char *)((void *)0); goto return_label;} /* STAC: BAD */ linkpath[len] = (char)0; if ((int )linkpath[0] == '/') {workpath[0] = (char)0;} if ((int )*(where + 0) != 0) {r_strcat(linkpath, "/"); r_strcat(linkpath, where);} /* STAC: BAD */ r_strcpy(curpath, linkpath);} __retres = result; return_label: /* CIL Label */ return (__retres);} }
int fetchsms (char *pdu, int sim) { char answer[ANSWERSIZE]; int position; int beginning; int end; int foo,err; /* Added for STAC: the input data must be considered tainted! */ answer[0] = taint(); /* Input magically appears */ answer[ANSWERSIZE-1] = EOS; /* Search for NEEDLE and skip it */ position=istrstr(answer,NEEDLE); if (position==-1) return 0; beginning = position + NEEDLE_SZ + 1; /* BAD */ r_strcpy(pdu,answer+beginning); return sim; }
int fetchsms(char *pdu , int sim ) { char answer[(2 + 2 * 256) + 2] ; int position ; int beginning ; int end ; int __retres ; {answer[0] = (char )taint(); answer[((2 + 2 * 256) + 2) - 1] = (char)0; position = istrstr(answer, "+C"); if (position == -1) {__retres = 0; goto return_label;} beginning = (position + 2) + 1; end = beginning; while (1) {if ((int )answer[end] != 0) {if (! ((int )answer[end] != '\r')) {break;} } else {break;} end ++;} if ((int )answer[end] == 0) {__retres = 0; goto return_label;} else {if (end - beginning < 256) {__retres = 0; goto return_label;} } end ++; while (1) {if ((int )answer[end] != 0) {if (! ((int )answer[end] != '\r')) {break;} } else {break;} end ++;} if ((int )answer[end] == 0) {__retres = 0; goto return_label;} else {if (end - beginning < 256) {__retres = 0; goto return_label;} } /* STAC: BAD */ answer[end] = (char)0; /* STAC: BAD */ r_strcpy(pdu, answer + beginning); __retres = sim; return_label: /* CIL Label */ return (__retres);} }
int main () { struct sockaddr_un serv_adr; char filename [FILENAME_SZ]; /* server filename */ filename[FILENAME_SZ-1] = EOS; /* initialize the server address structure */ /* BAD */ r_strcpy (serv_adr.sun_path, filename); return 0; }
int parse_expression (char *str) { char *except; char str2 [LINE_LENGTH+1]; except = strstr(str, NEEDLE); if (except) { strncpy (str2, str, (unsigned int)(except-str)); } else { /* OK */ r_strcpy (str2, str); } return 0; }
int parse_expression (char *str) { char *except; char str2 [LINE_LENGTH]; except = strstr(str, NEEDLE); if (except) { // SAFE: the needle is not copied strncpy (str2, str, (unsigned int)(except-str)); } else { // UNSAFE: can copy up to LINE_LENGTH+1 characters /* BAD */ r_strcpy (str2, str); } return 0; }
void ftpls(char *line ) { int j ; int tmp ; char user[256] ; {j = 0; while ((int )*(line + j) != 0) {tmp = strchr("-", *(line + j)); if (! tmp) {break;} j ++;} if (j == 2) {if ((int )*(line + j) == ' ') {/* STAC: BAD */ r_strcpy(user, line + j);} } return;} }
char * realpath(const char *pathname, char *result, char* chroot_path) { char curpath[MAXPATHLEN]; if (result == NULL) return(NULL); if(pathname == NULL){ *result = EOS; return(NULL); } /* BAD */ r_strcpy(curpath, pathname); return result; }
int fetchsms (char *pdu, int sim) { char answer[ANSWERSIZE]; int position; int beginning; int end; int foo,err; /* Added for STAC: the input data must be considered tainted! */ answer[0] = taint(); /* Input magically appears */ answer[ANSWERSIZE-1] = EOS; /* Search for NEEDLE and skip it */ position=istrstr(answer,NEEDLE); if (position==-1) return 0; beginning = position + NEEDLE_SZ + 1; /* Answer must contain NEEDLE2; we don't need to skip it. */ if (istrstr(answer, NEEDLE2) == -1) return 0; /* Find (something)\r(something)\r, where each (something) is at * least MIN_DIFF characters * * If we don't find anything satisfying that, abort */ for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ ); if ( answer[end] == EOS || end-beginning < MIN_DIFF) return 0; for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ ); if ( answer[end] == EOS || end-beginning < MIN_DIFF ) return 0; /* Change the last '\r' to an EOS */ answer[end] = EOS; /* BAD */ r_strcpy(pdu,answer+beginning); return sim; }
void ftpls (char *line) { int j; /* Stop at either: * (1) first char before EOS which isn't in "-rwxdls", or, * (2) first EOS */ for(j = 0; line[j] != EOS; ++j) if (!strchr("-", line[j])) break; if(j == J && line[j] == ' ') { /* long list */ /* BUG! No bounds check. */ char user[USERSZ]; /* BAD */ r_strcpy (user, line + j); } }
int main (void) { // these were parameters char login[LOGIN + 1]; char gecos[GECOS + 1]; char buf[BUF + 1]; char c; int i, j; login[(int) (sizeof login - 1)] = EOS; gecos[(int) (sizeof gecos - 1)] = EOS; j = 0; /* BAD */ (void) r_strcpy (buf + j, login); return 0; }
int fetchsms(char *pdu , int sim ) { char answer[(2 + 2 * 256) + 2] ; int position ; int beginning ; int __retres ; {answer[0] = (char )taint(); answer[((2 + 2 * 256) + 2) - 1] = (char)0; position = istrstr(answer, "+C"); if (position == -1) {__retres = 0; goto return_label;} beginning = (position + 2) + 1; /* STAC: BAD */ r_strcpy(pdu, answer + beginning); __retres = sim; return_label: /* CIL Label */ return (__retres);} }
/*============================================================================== 函数: <UpLoadFile> 功能: <xh_Func:> 参数: Created By 徐崇 2012.10.16 16:24:27 For Ftp ==============================================================================*/ int32_t DirDetectFile(int8_t *UpLoadFilePath) { int8_t filename[MAX_FILE_PATH_LEN]; FILE *pmd5file = NULL; FILE *plistfile = NULL; int32_t ret = 0; if((UpLoadFilePath == NULL)) { return -1; } r_strcpy(filename,UpLoadFilePath); r_strncat(filename,"/filelist.xml",r_strlen("filelist.xml")+1); plistfile = fopen(filename,"w+"); if(NULL == plistfile) { return -1; } fprintf(plistfile,"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"); fprintf(plistfile,"<DirContent>\n"); ret = ScnDir(plistfile, UpLoadFilePath); fprintf(plistfile," <num>%d</num>\n",ret); fprintf(plistfile,"</DirContent>\n"); if(plistfile != NULL) { fclose(plistfile); } return ret; }
int fetchsms (char *pdu, int sim) { char answer[ANSWERSIZE]; int position; int beginning; int end; int foo,err; /* Input magically appears */ answer[ANSWERSIZE-1] = EOS; /* Don't skip anything */ position = 0; if (position==-1) return 0; beginning = position + NEEDLE_SZ + 1; /* Find (something)\r(something)\r, where each (something) is at * least MIN_DIFF characters * * If we don't find anything satisfying that, abort */ for( end=beginning ; answer[end] != EOS && answer[end] != '\r' ; end++ ); if ( answer[end] == EOS || end-beginning < MIN_DIFF) return 0; for( end=end+1 ; answer[end] != EOS && answer[end] !='\r' ; end++ ); if ( answer[end] == EOS || end-beginning < MIN_DIFF ) return 0; /* Change the last '\r' to an EOS */ answer[end] = EOS; /* BAD */ r_strcpy(pdu,answer+beginning); return sim; }
char * realpath(const char *pathname, char *result, char* chroot_path) { char curpath[MAXPATHLEN], workpath[MAXPATHLEN], linkpath[MAXPATHLEN], namebuf[MAXPATHLEN]; int len; int where; int ptr; int last; if (result == NULL) return(NULL); if(pathname == NULL){ *result = EOS; return(NULL); } strcpy(curpath, pathname); if (pathname[0] != '/') { uid_t userid; if (!getcwd(workpath,MAXPATHLEN)) { userid = geteuid(); delay_signaling(); seteuid(0); if (!getcwd(workpath,MAXPATHLEN)) { strcpy(result, "."); seteuid(userid); enable_signaling(); return (NULL); } seteuid(userid); enable_signaling(); } } else workpath[0] = EOS; where = 0; while (curpath[where] != EOS) { if (!strcmp(curpath + where, ".")) { where++; continue; } strcpy(namebuf, workpath); for (last = 0; namebuf[last] != EOS; last++) continue; /* Chop out the out-of-bounds writes.... */ } /* Stand-in for checking stat fields. */ if (nondet_int() == 1) { len = readlink(namebuf, linkpath, MAXPATHLEN); if (len <= 0) return NULL; linkpath[len] = EOS; if (linkpath[0] == '/') workpath[0] = EOS; if (curpath[where] != EOS) { /* BAD */ r_strcat(linkpath, "/"); /* BAD */ r_strcat(linkpath, curpath + where); } /* BAD */ r_strcpy(curpath, linkpath); } return result; }
void set_local_addr(sockaddr_un_t *local_addr, int8_t *unixstr_path) { r_bzero(local_addr, sizeof(sockaddr_un_t)); local_addr->sun_family = AF_LOCAL; r_strcpy(local_addr->sun_path, unixstr_path); }