[Linux-uvc-devel] [UVC] Rats results

Thu, 11 Feb 2010 04:37:51 -0800 

Hello there,

In order to do a good documentation, I was finding a static code
analyzer (do you know a good one?) when I found a "auditing tool"
called Rats, and it thinks that some parts of linux-uvc code can be
problematic.

I don't believe so much in this kind of programs, but I prefer to
contact you with Rats results warnings.

I use "rats -i -r -w 3 --html --columns --context
/usr/src/linux/drivers/media/video/uvc > ~/rats_results.html" for
getting this errors (it needs 0.01 second to study all uvc driver :D).


Good Bye
Palmax
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55


Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_queue.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_driver.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_isight.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_status.c
Analyzing /usr/src/linux/drivers/media/video/uvc/uvc_video.c

RATS results.


Severity: High
Issue: fixed size global buffer
Extra care should be taken to ensure that character arrays that are allocated on the stack are used safely. They are prime targets for buffer overflow attacks.
    File: /usr/src/linux/drivers/media/video/uvc/uvc_status.c Line:102[9]
    char *attrs[3] = { "value", "info", "failure" };
Severity: Medium
Issue: open
A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function.
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:1067[10]
    .open = uvc_vm_open,
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:1135[10]
    .open = uvc_v4l2_open,
Severity: Medium
Issue: read
A function call is not being made here, but a reference is being made to a name that is normally a vulnerable function. It could be being assigned as a pointer to function.
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:1138[10]
    .read = uvc_v4l2_read,
Severity: Low
Issue: strlcpy
Double check that your buffer is as big as you specify
    File: /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c Line:789[9]
    strlcpy(v4l2_ctrl->name, mapping->name, sizeof v4l2_ctrl->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:315[25]
    strlcpy(format->name, fmtdesc->name,
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:346[17]
    strlcpy(format->name, "MJPEG", sizeof format->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:364[25]
    strlcpy(format->name, "SD-DV", sizeof format->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:367[25]
    strlcpy(format->name, "SDL-DV", sizeof format->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:370[25]
    strlcpy(format->name, "HD-DV", sizeof format->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1509[9]
    strlcpy(vdev->name, dev->name, sizeof vdev->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1605[17]
    strlcpy(dev->name, udev->product, sizeof dev->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:64[9]
    strlcpy(query_menu->name, menu_info->name, sizeof query_menu->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:507[17]
    strlcpy(cap->driver, "uvcvideo", sizeof cap->driver);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:508[17]
    strlcpy(cap->card, vdev->name, sizeof cap->card);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:650[17]
    strlcpy(input->name, iterm->name, sizeof input->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:718[17]
    strlcpy(fmt->description, format->name,
Severity: Low
Issue: memcpy
Double check that your buffer is as big as you specify. When using functions that accept a number n of bytes to copy, such as strncpy, be aware that if the dest buffer size = n it may not NULL-terminate the string.
    File: /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c Line:923[25]
    memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
    File: /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c Line:1039[17]
    memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
    File: /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c Line:1108[9]
    memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_BACKUP),
    File: /usr/src/linux/drivers/media/video/uvc/uvc_ctrl.c Line:1131[17]
    memcpy(uvc_ctrl_data(ctrl, UVC_CTRL_DATA_CURRENT),
    File: /usr/src/linux/drivers/media/video/uvc/uvc_queue.c Line:192[9]
    memcpy(v4l2_buf, &buf->buf, sizeof *v4l2_buf);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:638[9]
    memcpy(streaming->header.bmaControls, &buffer[size], p*n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:823[17]
    memcpy(unit->extension.guidExtensionCode, &buffer[4], 16);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:827[17]
    memcpy(unit->extension.baSourceID, &buffer[22], p);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:832[17]
    memcpy(unit->extension.bmControls, &buffer[23+p], 2*n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:944[25]
    memcpy(term->camera.bmControls, &buffer[15], n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:951[25]
    memcpy(term->media.bmControls, &buffer[9], n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:952[25]
    memcpy(term->media.bmTransportModes, &buffer[10+n], p);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1023[17]
    memcpy(unit->selector.baSourceID, &buffer[5], p);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1056[17]
    memcpy(unit->processing.bmControls, &buffer[8], n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1086[17]
    memcpy(unit->extension.guidExtensionCode, &buffer[4], 16);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1090[17]
    memcpy(unit->extension.baSourceID, &buffer[22], p);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1093[17]
    memcpy(unit->extension.bmControls, &buffer[23+p], n);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:261[9]
    memcpy(&video->streaming->ctrl, &probe, sizeof probe);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:320[9]
    memcpy(&probe, &video->streaming->ctrl, sizeof probe);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:332[9]
    memcpy(&video->streaming->ctrl, &probe, sizeof probe);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:973[17]
    memcpy(info->entity, xinfo->entity, sizeof info->entity);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:1001[17]
    memcpy(map->name, xmap->name, sizeof map->name);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_v4l2.c Line:1002[17]
    memcpy(map->entity, xmap->entity, sizeof map->entity);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_isight.c Line:89[17]
    memcpy(mem, data, nbytes);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_video.c Line:459[9]
    memcpy(mem, data, nbytes);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_video.c Line:515[9]
    memcpy(data, mem, nbytes);
    File: /usr/src/linux/drivers/media/video/uvc/uvc_video.c Line:595[25]
    memcpy(video->bulk.header, mem, ret);
Severity: Low
Issue: snprintf
Double check that your buffer is as big as you specify. When using functions that accept a number n of bytes to copy, such as strncpy, be aware that if the dest buffer size = n it may not NULL-terminate the string.
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:322[25]
    snprintf(format->name, sizeof format->name,
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:1607[17]
    snprintf(dev->name, sizeof dev->name,
Severity: Low
Issue: strlcat
Double check that your buffer is as big as you specify
    File: /usr/src/linux/drivers/media/video/uvc/uvc_driver.c Line:380[17]
    strlcat(format->name, buffer[8] & (1 << 7) ? " 60Hz" : " 50Hz",
    File: /usr/src/linux/drivers/media/video/uvc/uvc_status.c Line:35[9]
    strlcat(dev->input_phys, "/button", sizeof(dev->input_phys));

Inputs detected at the following points



Total lines analyzed: 6748
Total time 0.010661 seconds
632961 lines per second
_______________________________________________
Linux-uvc-devel mailing list
Linux-uvc-devel@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/linux-uvc-devel

Reply via email to