Ticket refs #3731: icwmpd: Static Code Analysis (flawfinder)

2025-12-10 07:44:41 +01:00 · 2021-04-20 17:20:46 +01:00 · 2021-04-20 17:20:46 +01:00 · f5ac401208
commit f5ac401208
parent f70cc81e56
10 changed files with 58 additions and 33 deletions
--- a/backupSession.c
+++ b/backupSession.c
@ -92,9 +92,9 @@ mxml_node_t *bkp_session_insert_event(int index, char *command_key, int id, char
 	mxml_node_t *b;

 	pthread_mutex_lock(&mutex_backup_session);
-	sprintf(parent_name, "%s_event", status);
-	sprintf(event_id, "%d", id);
-	sprintf(event_idx, "%d", index);
+	snprintf(parent_name, sizeof(parent_name), "%s_event", status);
+	snprintf(event_id, sizeof(event_id), "%d", id);
+	snprintf(event_idx, sizeof(event_idx), "%d", index);
 	keys[0].name = "id";
 	keys[0].value = event_id;
 	b = bkp_session_node_found(bkp_tree, parent_name, keys, 1);
@ -116,8 +116,8 @@ void bkp_session_delete_event(int id, char *status)
 	mxml_node_t *b;

 	pthread_mutex_lock(&mutex_backup_session);
-	sprintf(parent_name, "%s_event", status);
-	sprintf(event_id, "%d", id);
+	snprintf(parent_name, sizeof(parent_name), "%s_event", status);
+	snprintf(event_id, sizeof(event_id), "%d", id);
 	keys[0].name = "id";
 	keys[0].value = event_id;
 	b = bkp_session_node_found(bkp_tree, parent_name, keys, 1);
@ -1641,7 +1641,7 @@ int bkp_session_check_file()
 {
 	FILE *pFile;

-	if (access(CWMP_BKP_FILE, F_OK) == -1) {
+	if (!file_exists(CWMP_BKP_FILE)) {
 		bkp_session_create_file();
 		return -1;
 	}
--- a/common.c
+++ b/common.c
@ -25,6 +25,7 @@
 #define CURL_TIMEOUT 20
 char *commandKey = NULL;
 long int flashsize = 256000000;
+static unsigned long int next_rand_seed = 1;

 struct option cwmp_long_options[] = { { "boot-event", no_argument, NULL, 'b' }, { "get-rpc-methods", no_argument, NULL, 'g' }, { "command-input", no_argument, NULL, 'c' }, { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { NULL, 0, NULL, 0 } };

@ -484,3 +485,21 @@ out_error:
 	errno = saved_errno;
 	return -1;
 }
+
+bool file_exists(const char *path)
+{
+	struct stat buffer;
+
+	return stat(path, &buffer) == 0;
+}
+
+int icwmp_rand(void) // RAND_MAX assumed to be 32767
+{
+	next_rand_seed = next_rand_seed * 1103515245 + 12345;
+	return (unsigned int)(next_rand_seed / 65536) % 32768;
+}
+
+void icwmp_srand(unsigned int seed) //
+{
+	next_rand_seed = seed;
+}
--- a/cwmp.c
+++ b/cwmp.c
@ -35,8 +35,8 @@ int cwmp_get_retry_interval(struct cwmp *cwmp)
 		exp = 10;
 	min = pow(((double)k / 1000), (double)(exp - 1)) * m;
 	max = pow(((double)k / 1000), (double)exp) * m;
-	srand(time(NULL));
-	retry_count = rand() % ((int)max + 1 - (int)min) + (int)min;
+	icwmp_srand(time(NULL));
+	retry_count = icwmp_rand() % ((int)max + 1 - (int)min) + (int)min;
 	return (retry_count);
 }

@ -348,11 +348,11 @@ void cwmp_schedule_session(struct cwmp *cwmp)
 			retry = false;
 		}
 		session = list_entry(ilist, struct session, list);
-		if (access(DM_ENABLED_NOTIFY, F_OK) != -1) {
+		if (file_exists(DM_ENABLED_NOTIFY)) {
 			if (!event_exist_in_list(cwmp, EVENT_IDX_4VALUE_CHANGE))
 				is_notify = check_value_change();
 		}
-		if (is_notify > 0 || access(DM_ENABLED_NOTIFY, F_OK) < 0)
+		if (is_notify > 0 || !file_exists(DM_ENABLED_NOTIFY))
 			cwmp_update_enabled_notify_file();
 		cwmp_prepare_value_change(cwmp);
 		clean_list_value_change();
@ -366,7 +366,7 @@ void cwmp_schedule_session(struct cwmp *cwmp)
 		cwmp->session_status.last_status = SESSION_RUNNING;
 		cwmp->session_status.next_retry = 0;

-		if (access(fc_cookies, F_OK) != -1)
+		if (file_exists(fc_cookies))
 			remove(fc_cookies);
 		CWMP_LOG(INFO, "Start session");

--- a/cwmp_uci.c
+++ b/cwmp_uci.c
@ -272,7 +272,7 @@ int cwmp_uci_get_value_common(char *cmd, char **value, bool state)
 		return CWMP_GEN_ERR;
 	}
 	if (state) {
-		strcpy(state_path, VARSTATE_CONFIG);
+		strncpy(state_path, VARSTATE_CONFIG, strlen(VARSTATE_CONFIG));
 		uci_add_delta_path(c, c->savedir);
 		uci_set_savedir(c, state_path);
 	}
@ -351,7 +351,7 @@ int uci_set_value(char *path, char *value, uci_config_action action)
 	}

 	if (action == CWMP_CMD_SET_STATE) {
-		strcpy(state_path, VARSTATE_CONFIG);
+		strncpy(state_path, VARSTATE_CONFIG, strlen(VARSTATE_CONFIG));
 		uci_add_delta_path(c, c->savedir);
 		uci_set_savedir(c, state_path);
 	}
--- a/http.c
+++ b/http.c
@ -102,7 +102,7 @@ void http_client_exit(void)
 		curl_slist_free_all(http_c.header_list);
 		http_c.header_list = NULL;
 	}
-	if (access(fc_cookies, W_OK) == 0)
+	if (file_exists(fc_cookies))
 		remove(fc_cookies);
 	curl_easy_cleanup(curl);
 	curl_global_cleanup();
@ -220,7 +220,7 @@ int http_send_message(struct cwmp *cwmp, char *msg_out, int msg_out_len, char **
 	curl_easy_getinfo(curl, CURLINFO_PRIMARY_IP, &ip);
 	if (ip && ip[0] != '\0') {
 		if (ip_acs[0] == '\0' || strcmp(ip_acs, ip) != 0) {
-			strcpy(ip_acs, ip);
+			strncpy(ip_acs, ip, strlen(ip));
 			if (cwmp->conf.ipv6_enable) {
 				tmp = inet_pton(AF_INET, ip, buf);
 				if (tmp == 1)
@ -308,7 +308,7 @@ static void http_cr_new_client(int client, bool service_available)
 			method_is_get = true;
 		if (!strncasecmp(buffer, "Authorization: Digest ", strlen("Authorization: Digest "))) {
 			auth_digest_checked = true;
-			strcpy(auth_digest_buffer, buffer);
+			strncpy(auth_digest_buffer, buffer, strlen(buffer));
 		}

 		if (buffer[0] == '\r' || buffer[0] == '\n') {
--- a/inc/common.h
+++ b/inc/common.h
@ -452,6 +452,7 @@ void cwmp_del_list_fault_param(struct cwmp_param_fault *param_fault);
 void cwmp_free_all_list_param_fault(struct list_head *list_param_fault);
 int cwmp_asprintf(char **s, const char *format, ...);
 bool folder_exists(const char *path);
+bool file_exists(const char *path);
 void cwmp_reboot(char *command_key);
 void cwmp_factory_reset();
 void get_firewall_zone_name_by_wan_iface(char *if_wan, char **zone_name);
@ -463,6 +464,8 @@ int cwmp_check_image();
 void cwmp_apply_firmware();
 int opkg_install_package(char *package_path);
 int copy(const char *from, const char *to);
+int icwmp_rand(void);
+void icwmp_srand(unsigned int seed);
 #ifndef FREE
 #define FREE(x)                   \
 	do {                      \
--- a/kcwmp.c
+++ b/kcwmp.c
@ -137,7 +137,7 @@ int kernel_api_cwmp_value_change_call(int count, ...)
 		if (kernel_cwmp_input.argv[i] == NULL) {
 			goto kernel_api_cwmp_error;
 		}
-		strcpy(kernel_cwmp_input.argv[i], s);
+		strncpy(kernel_cwmp_input.argv[i], s, sizeof(kernel_cwmp_input.argv[i]));
 		kernel_cwmp_input.argc++;
 	}
 	va_end(args);
--- a/log.c
+++ b/log.c
@ -42,12 +42,13 @@ int log_set_severity_idx(char *value)
 int log_set_log_file_name(char *value)
 {
 	if (value != NULL) {
-		strcpy(log_file_name, value);
+		strncpy(log_file_name, value, strlen(value));
 	} else {
-		strcpy(log_file_name, DEFAULT_LOG_FILE_NAME);
+		strncpy(log_file_name, DEFAULT_LOG_FILE_NAME, strlen(DEFAULT_LOG_FILE_NAME));
 	}
 	return 1;
 }
+
 int log_set_file_max_size(char *value)
 {
 	if (value != NULL) {
@ -55,6 +56,7 @@ int log_set_file_max_size(char *value)
 	}
 	return 1;
 }
+
 int log_set_on_console(char *value)
 {
 	if (strcmp(value, "enable") == 0) {
@ -65,6 +67,7 @@ int log_set_on_console(char *value)
 	}
 	return 1;
 }
+
 int log_set_on_file(char *value)
 {
 	if (strcmp(value, "enable") == 0) {
@ -116,16 +119,16 @@ void puts_log(int severity, const char *fmt, ...)

 	gettimeofday(&tv, 0);
 	Tm = localtime(&tv.tv_sec);
-	i = sprintf(buf, "%02d-%02d-%4d, %02d:%02d:%02d %s ", Tm->tm_mday, Tm->tm_mon + 1, Tm->tm_year + 1900, Tm->tm_hour, Tm->tm_min, Tm->tm_sec, SEVERITY_NAMES[severity]);
+	i = snprintf(buf, sizeof(buf), "%02d-%02d-%4d, %02d:%02d:%02d %s ", Tm->tm_mday, Tm->tm_mon + 1, Tm->tm_year + 1900, Tm->tm_hour, Tm->tm_min, Tm->tm_sec, SEVERITY_NAMES[severity]);
 	if (strlen(log_file_name) == 0) {
-		strcpy(log_file_name, DEFAULT_LOG_FILE_NAME);
+		strncpy(log_file_name, DEFAULT_LOG_FILE_NAME, strlen(DEFAULT_LOG_FILE_NAME));
 	}
 	if (enable_log_file) {
 		if (stat(log_file_name, &st) == 0) {
 			size = st.st_size;
 		}
 		if (size >= log_max_size) {
-			sprintf(log_file_name_bak, "%s.1", log_file_name);
+			snprintf(log_file_name_bak, sizeof(log_file_name_bak), "%s.1", log_file_name);
 			rename(log_file_name, log_file_name_bak);
 			pLog = fopen(log_file_name, "w");
 		} else {
@ -133,9 +136,9 @@ void puts_log(int severity, const char *fmt, ...)
 		}
 	}
 	va_start(args, fmt);
-	i += vsprintf(buf + i, fmt, args);
+	i += vsprintf(buf + i, (const char *)fmt, args);
 	if (enable_log_file) {
-		strcpy(buf_file, buf);
+		strncpy(buf_file, buf, strlen(buf));
 		strcat(buf_file, "\n");
 		fputs(buf_file, pLog);
 	}
@ -149,7 +152,7 @@ void puts_log(int severity, const char *fmt, ...)

 	if (enable_log_syslog) {
 		va_start(args, fmt);
-		vsnprintf(buf, sizeof(buf), fmt, args);
+		vsnprintf(buf, strlen(buf), fmt, args);
 		buf[sizeof(buf) - 1] = '\0';
 		va_end(args);

@ -178,9 +181,9 @@ void puts_log_xmlmsg(int severity, char *msg, int msgtype)

 	gettimeofday(&tv, 0);
 	Tm = localtime(&tv.tv_sec);
-	sprintf(buf, "%02d-%02d-%4d, %02d:%02d:%02d %s ", Tm->tm_mday, Tm->tm_mon + 1, Tm->tm_year + 1900, Tm->tm_hour, Tm->tm_min, Tm->tm_sec, SEVERITY_NAMES[severity]);
+	snprintf(buf, sizeof(buf), "%02d-%02d-%4d, %02d:%02d:%02d %s ", Tm->tm_mday, Tm->tm_mon + 1, Tm->tm_year + 1900, Tm->tm_hour, Tm->tm_min, Tm->tm_sec, SEVERITY_NAMES[severity]);
 	if (strlen(log_file_name) == 0) {
-		strcpy(log_file_name, DEFAULT_LOG_FILE_NAME);
+		strncpy(log_file_name, DEFAULT_LOG_FILE_NAME, strlen(DEFAULT_LOG_FILE_NAME));
 	}

 	if (msgtype == XML_MSG_IN) {
@ -196,7 +199,7 @@ void puts_log_xmlmsg(int severity, char *msg, int msgtype)
 			size = st.st_size;
 		}
 		if (size >= log_max_size) {
-			sprintf(log_file_name_bak, "%s.1", log_file_name);
+			snprintf(log_file_name_bak, sizeof(log_file_name_bak), "%s.1", log_file_name);
 			rename(log_file_name, log_file_name_bak);
 			pLog = fopen(log_file_name, "w");
 		} else {
--- a/notifications.c
+++ b/notifications.c
@ -99,7 +99,7 @@ void ubus_check_value_change_callback(struct ubus_request *req, int type __attri
 		if (len)
 			buf[len - 1] = '\0';
 		char parameter[128] = { 0 }, notification[2] = { 0 }, value[1024] = { 0 }, type[32] = { 0 };
-		sscanf(buf, "parameter:%s notifcation:%s type:%s value:%s\n", parameter, notification, type, value);
+		sscanf(buf, "parameter:%128s notifcation:%2s type:%32s value:%1024s\n", parameter, notification, type, value);
 		get_parameter_value_from_parameters_list(list_notify, parameter, &dm_value, &dm_type);
 		if (dm_value == NULL && dm_type == NULL)
 			continue;
@ -245,9 +245,9 @@ char *calculate_lwnotification_cnonce()
 {
 	int i;
 	char *cnonce = malloc(33 * sizeof(char));
-	srand((unsigned int)time(NULL));
+	icwmp_srand((unsigned int)time(NULL));
 	for (i = 0; i < 4; i++) {
-		sprintf(&(cnonce[i * 8]), "%08x", rand());
+		sprintf(&(cnonce[i * 8]), "%08x", icwmp_rand());
 	}
 	cnonce[i * 8] = '\0';
 	return cnonce;
--- a/xml.c
+++ b/xml.c
@ -483,7 +483,7 @@ const char *whitespace_cb(mxml_node_t *node, int where)
 	case MXML_WS_BEFORE_OPEN:
 		tab_space[0] = '\0';
 		while ((node = node->parent))
-			strcat(tab_space, CWMP_MXML_TAB_SPACE);
+			strncat(tab_space, CWMP_MXML_TAB_SPACE, strlen(CWMP_MXML_TAB_SPACE));
 		return tab_space;
 	case MXML_WS_AFTER_OPEN:
 		return ((!node->child || node->child->type == MXML_ELEMENT) ? "\n" : NULL);
@ -720,7 +720,7 @@ char *xml_get_cwmp_version(int version)
 			sprintf(tmp, "1.%d", k);
 		else
 			sprintf(tmp, ", 1.%d", k);
-		strcat(versions, tmp);
+		strncat(versions, tmp, strlen(tmp));
 	}
 	return versions;
 }