buffer overrun: dangerous usage of strncpy+strncat

This commit is contained in:
Daniel Marjamäki 2009-02-20 21:16:07 +00:00
parent 15e86db3ed
commit ed86d924df
2 changed files with 18 additions and 11 deletions

View File

@ -105,7 +105,6 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
} }
} }
int indentlevel = 0; int indentlevel = 0;
for (; tok; tok = tok->next()) for (; tok; tok = tok->next())
{ {
@ -159,7 +158,6 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
_errorLogger->bufferOverrun(_tokenizer, tok); _errorLogger->bufferOverrun(_tokenizer, tok);
} }
} }
continue;
} }
} }
else if (Token::Match(tok, "memset|memcpy|memmove|memcmp|strncpy|fgets")) else if (Token::Match(tok, "memset|memcpy|memmove|memcmp|strncpy|fgets"))
@ -267,6 +265,15 @@ void CheckBufferOverrunClass::CheckBufferOverrun_CheckScope(const Token *tok, co
} }
// Dangerous usage of strncpy + strncat..
if (Token::Match(tok, "strncpy|strncat ( %varid% , %any% , %num% ) ; strncat ( %varid% , %any% , %num% )", varid))
{
int n = atoi(tok->strAt(6)) + atoi(tok->strAt(15));
if (n > size)
_errorLogger->strncatUsage(_tokenizer, tok->tokAt(9));
}
// sprintf.. // sprintf..
if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid)) if (varid > 0 && Token::Match(tok, "sprintf ( %varid% , %str% ,", varid))
{ {

View File

@ -92,7 +92,7 @@ private:
TEST_CASE(snprintf2); TEST_CASE(snprintf2);
TEST_CASE(snprintf3); TEST_CASE(snprintf3);
// TODO TEST_CASE(strncat1); TEST_CASE(strncat1);
TEST_CASE(strncat2); TEST_CASE(strncat2);
TEST_CASE(varid1); TEST_CASE(varid1);
@ -473,11 +473,11 @@ private:
{ {
check("void f()\n" check("void f()\n"
"{\n" "{\n"
" char str[10];\n" " char str[16];\n"
" strncpy(str, a, 5);\n" " strncpy(str, a, 10);\n"
" strncat(str, b, 5);\n" " strncat(str, b, 10);\n"
"}\n"); "}\n");
ASSERT_EQUALS(std::string("[test.cpp:5]: (error) possible buffer overrun"), errout.str()); ASSERT_EQUALS(std::string("[test.cpp:5]: (all) Dangerous usage of strncat, possible buffer overrun\n"), errout.str());
} }
void strncat2() void strncat2()