the-web-application-hackers-handbook

710 Chapter 19 n Finding Vulnerabilities in Source Code
Comparisons between signed and unsigned integers often lead to problems.
In the following “fix” to the previous vulnerability, a signed integer (len) is
compared with an unsigned integer (sizeof(strFileName)). If the user can
engineer a situation where len has a negative value, this comparison will succeed,
and the unchecked strcpy will still occur:
BOOL CALLBACK CFiles::EnumNameProc(LPTSTR pszName, int len)
{
char strFileName[MAX_PATH];
}
if (len < sizeof(strFileName))
strcpy(strFileName, pszName);
...
Format String Vulnerabilities
Typically you can identify these quickly by looking for uses of the printf and
FormatMessage families of functions where the format string parameter is not
hard-coded but is user-controllable. The following call to fprintf is an example:
void logAuthenticationAttempt(char* username);
{
char tmp[64];
snprintf(tmp, 64, “login attempt for: %s\n”, username);
tmp[63] = 0;
fprintf(g_logFile, tmp);
}
Source Code Comments
Many software vulnerabilities are actually documented within source code
comments. This often occurs because developers are aware that a particular
operation is unsafe, and they record a reminder to fix the problem later, but
they never get around to doing so. In other cases, testing has identified some
anomalous behavior within the application that was commented within the
code but never fully investigated. For example, the authors encountered the
following within an application’s production code: