Home » Testing and Debugging » Security Testing » Identifying security vulnerabilities and coding mistakes (Code Review) using Splint

Identifying security vulnerabilities and coding mistakes (Code Review) using Splint

Splint is a tool for statically checking C programs for security vulnerabilities and coding mistakes. With minimal effort, Splint can be used as a better lint. If additional effort is invested adding annotations to programs, Splint can perform stronger checking than can be done by any standard lint.

 $ vim valgring_test.c 
#include <stdio.h>
#include <stdlib.h>
 
int main() {
    char *ptr = (char *) malloc(1024);
    char ch;
    /* Uninitialized read */
    ch = ptr[1024];
    /* Write beyond the block */
    ptr[1024] = 0;
    /* Orphan the block */
    ptr = 0;
    exit(0);
}
 $ gcc -Wall -pedantic valgrind_test.c 

this will print the unused variables, warning etc

 $ sudo apt-get install splint 

Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
splint-data
Suggested packages:
splint-doc-html
The following NEW packages will be installed:
splint splint-data
0 upgraded, 2 newly installed, 0 to remove and 261 not upgraded.
Need to get 928 kB of archives.
After this operation, 2,998 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty/universe splint-data all 3.1.2.dfsg1-2 [182 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty/universe splint i386 3.1.2.dfsg1-2 [746 kB]
Fetched 928 kB in 11s (82.7 kB/s)
Selecting previously unselected package splint-data.
(Reading database … 210095 files and directories currently installed.)
Preparing to unpack …/splint-data_3.1.2.dfsg1-2_all.deb …
Unpacking splint-data (3.1.2.dfsg1-2) …
Selecting previously unselected package splint.
Preparing to unpack …/splint_3.1.2.dfsg1-2_i386.deb …
Unpacking splint (3.1.2.dfsg1-2) …
Processing triggers for man-db (2.6.7.1-1ubuntu1) …
Setting up splint-data (3.1.2.dfsg1-2) …
Setting up splint (3.1.2.dfsg1-2) …

 $ splint -strict valgrind_test.c 
Splint 3.1.2 --- 03 May 2009

valgrind_test.c:4:5: Function main declared without parameter list
  A function declaration does not have a parameter list. (Use -noparams to
  inhibit warning)

valgrind_test.c: (in function main)

valgrind_test.c:6:29: Function malloc expects arg 1 to be size_t gets int: 1024
  To allow arbitrary integral types to match any integral type, use
  +matchanyintegral.

valgrind_test.c:9:6: Index of possibly null pointer ptr: ptr
  A possibly null pointer is dereferenced.  Value is either the result of a
  function which may return null (in which case, code should check it is not
  null), or a global, parameter or structure field declared with the null
  qualifier. (Use -nullderef to inhibit warning)
   valgrind_test.c:6:13: Storage ptr may become null

valgrind_test.c:9:6: Array element ptr[1024] used before definition
  An rvalue is used that may not be initialized to a value on some execution
  path. (Use -usedef to inhibit warning)

valgrind_test.c:11:1: Assignment of int to char: ptr[1024] = 0
  Types are incompatible. (Use -type to inhibit warning)

valgrind_test.c:13:1: Fresh storage ptr (type char *) not released before
                         assignment: ptr = 0
  A memory leak has been detected. Storage allocated locally is not released
  before the last reference to it is lost. (Use -mustfreefresh to inhibit
  warning)
   valgrind_test.c:6:35: Fresh storage ptr created

valgrind_test.c:9:6: Possible out-of-bounds read: ptr[1024]
    Unable to resolve constraint:
    requires maxRead(malloc(1024) @ valgrind_test.c:6:22) >= 1024
     needed to satisfy precondition:
    requires maxRead(ptr @ valgrind_test.c:9:6) >= 1024
  A memory read references memory beyond the allocated storage. (Use
  -boundsread to inhibit warning)

valgrind_test.c:11:1: Likely out-of-bounds store: ptr[1024]
    Unable to resolve constraint:
    requires 1023 >= 1024
     needed to satisfy precondition:
    requires maxSet(ptr @ valgrind_test.c:11:1) >= 1024
  A memory write may write to an address beyond the allocated buffer. (Use
  -likelyboundswrite to inhibit warning)

Finished checking --- 8 code warnings


Subscribe our Rurban Life YouTube Channel.. "Rural Life, Urban LifeStyle"

Leave a Comment