General
CNG Home

Resources
Software
Mirrors
FAQ

Contact
Helpdesk
 

System Calls to Watch Out For

All system or library calls must have their return values checked, and errors handled. Not checking the results of a system or library call is unacceptable. The sole exception to this is that class of calls which are designed to either work or exit, and thus can not return failure.

Certain library calls have historically, been found to be associated with security problems, because they do no checking, and user input is often passed to them. Use of these calls is strongly discouraged. Those calls include but are not limited to,

  • system - If there's user input in the arguments, the user might be able to run a command.
  • exec, popen - Similar to system. Use execl or execv, but be careful not to pass user data to them without strong sanity checking.
  • setuid and setgid - Programs shouldn't be able to use these calls, because they shouldn't have any privileges.
  • strcpy, strcat, sprintf - don't check the length of the strings they're working with. Use strncpy, strncat.
  • getenv - Can produce buffer overflows. Also, watch for a variable set two (or more!) times.
  • gets, scanf - Improper bounds checking. Use read, fgets.
  • gethostbyname, gethostbyaddr - These, and other calls that get data from the DNS, may return malicious data under the control of a bad guy. Getting a DNS server is pretty easy, as is having it return 64k of data for your hostname, or returning a Acme Widgets address instead of the real one. Any time you're getting data from the DNS, consider doing whats referred to as a double-reverse lookup, and again, don't trust the data returned will be in a safe format, or correct. Code that correctly checks the information returned by the dns can be found in the logdaemon package.
  • syslog - If syslog is passed information derived from user input, be careful to not overflow syslog's buffers. The maximum buffer size to pass is 1024 bytes.
  • realloc - Realloc should not be used in crypto applications. If memory contiguous to that already allocated is not available, realloc will make a copy of the memory without zeroing the old bits. If this old memory contains keys, then you lose the pointer to the memory without destroying the information. This is generally considered a mistake.
  • open - The filesystem can change in ways you don't expect. There is sample code in an appendix for how to call open and be sure you avoid tmp races, linking games, and other things.

This list is derived from Security Code Review Guidelines by Adam Shostack.

 
  		 



For any Questions, Comments or Suggestions
please email me us fdolor-at-ateneo-dot-edu

© 2001-2005, Ateneo Campus Network Group