>
>
>
V755. Copying from potentially tainted …


V755. Copying from potentially tainted data source. Buffer overflow is possible.

The analyzer detected that data is copied from a possibly tainted source to the buffer.

Such sources can be:

  • command line arguments whose length is unknown;
  • standard library input streams combined with the C strings (null-terminated strings);
  • return value of unsafe functions.

Unsafe work with command line arguments

Here's an example:

int main(int argc, char *argv[])
{
  ....
  const size_t buf_size = 1024;
  char *tmp = (char *) malloc(buf_size);
  ....
  strcpy(tmp, argv[0]);
  ....
}

If the copied data size exceeds the buffer size, the buffer overflows. To avoid this, pre-calculate the required amount of memory:

int main(int argc, char *argv[])
{
  ....
  char buffer[1024];
  errno_t err = strncpy_s(buffer, sizeof(buffer), argv[0], 1024);
  ....
}

You can also allocate memory when you need it by using the 'realloc' function. In C++, you can use all classes, like 'std::string', to work with strings.

Unsafe work with input streams

Before C++20, you could use a C string as a receiver buffer for standard input streams ('std::cin', 'std::ifstream'):

void BadRead(char *receiver)
{
  std::cin >> receiver;
}

Fortunately, this feature was removed in C++20. Now you can use the standard library input streams only with arrays of known size. And there's an implicit limit on a maximum number of characters read.

void Exception2Cpp20()
{
  char *buffer1 = new char[10];
  std::cin >> buffer1;          // Won't compile since C++20

  char buffer2[10];
  std::cin >> buffer2;          // no overflow
                                // max 9 chars will be read
}

You can read more about this change (with examples of use) in the P0487R1 proposal to the C++20 standard.

Unsafe return value

Attackers can manipulate the value returned by some functions. If you work with those values, be extremely careful:

void InsecureDataProcessing()
{
  char oldLocale[50];
  strcpy(oldLocale, setlocale(LC_ALL, nullptr));
  ....
}

In this example, a fixed-size buffer is created. The 'LC_ALL' environment variable is read to this buffer. If an attacker can manipulate it, then reading this variable can lead to the buffer overflow.

Exceptions

The analyzer won't issue a warning if the data source is unknown:

void Exception1(int argc, char *argv[])
{
  char *src = GetData();
  char *tmp = (char *)malloc(1024);
  strcpy(tmp, src);
  ....
}

This diagnostic is classified as: