V512. Call of the 'Foo' function will lead to buffer overflow.
- The compatibility with the previous versions
- Work with unknown values of arguments to format strings
- Note regarding the 'strncpy' function
The analyzer has detected a potential error related to filling, copying or comparing memory buffers. The error can lead to butter overflow.
Note: previously this diagnostic rule contained some additional functionality, but afterwards we decided to transfer this functionality into a separate diagnostic V1086. You can read more about the causes and consequences of this decision in the special note.
This is a common type of errors caused, for example, by typos or inattention. As a result, memory occupied by other data can be read or written to. Attackers can exploit this error to execute malicious program code, read sensitive information, or cause the operating system to crash. The specific trouble with this kind of errors is that the program can work stably for a long time.
Let's look at the example N1.
#define BYTES_COUNT 5
struct Example
{
unsigned char id[BYTES_COUNT];
unsigned char extended[BYTES_COUNT - 2];
unsigned char data[20];
};
void ClearID(Example *data)
{
memset(&data->id, 0, BYTES_COUNT);
memset(&data->extended, 0, BYTES_COUNT);
}
In this example a pointer to an object of the 'Example' type is passed to the 'ClearID' function. Within the function, the 'id' and 'extended' fields are cleared with the 'memset' function. Careless use of the 'BYTES_COUNT' macro will cause the buffer overflow when you clear the 'extended' field. This will result in rewriting the adjacent 'data' field.
Similarly, the buffer overflow can be caused by an incorrect type conversion, as in the example N2:
struct MyTime
{
int timestamp;
....
};
MyTime s;
time((time_t*)&s.timestamp);
This example, at first glance, does not contain any dangers and will even work properly as long as the size of the 'int' and 'time_t' types matches. The problem will reveal itself if you use the standard library, where the 'time_t' type can be 64-bit. Meanwhile, the 'int' variable has a size of 32 bits.
In this case, if we call the 'time' function, it will write its result to the 'timestamp' variable and also to the memory area next to it. The correct variant:
struct MyTime
{
time_t time;
....
};
MyTime s;
time(&s.time);
The compatibility with the previous versions
Previously, this diagnostic rule contained some additional functionality, which has been transferred to the V1086 diagnostic rule. The new one detects cases of a buffer underflow.
Before splitting the V512, you had the ability to fine-tune the diagnostic and disable the irrelevant part of it by using special comments. In order to provide backward compatibility, it's still possible to disable the V512 diagnostic with a special comment:
//-V512_OVERFLOW_OFF
You can add this comment into the header file, included into all the other files. For instance, it can be the "stdafx.h" file. If you add this comment into the "*.cpp" file, it will affect only this particular file.
Since the V512 diagnostic rule now only detects buffer overflows, this comment has become equivalent to a complete disabling of the diagnostic (//-V::512).
Work with unknown values of arguments to format strings
Sometimes the analyzer may not know the exact value of the argument – for example, when it came from function's parameter:
void foo(int someVar)
{
char buf[2];
sprintf(buf, "%d", someVar);
....
}
There will be no warning by default. To enable it, use the following comment:
//V_512_WARN_ON_UNKNOWN_FORMAT_ARGS
In this case the analyzer will use the range of values from type of the argument.
Note regarding the 'strncpy' function
Several times customers contacted our support because they thought that the analyzer generates false positive on the following code:
char buf[5];
strncpy(buf, "X", 100);
It may seem that the function has to copy only 2 bytes (the 'X' character and the terminal null). But in fact, an array overrun will occur here. And the reason for this is the important property of the 'strncpy' function:
If, after copying the terminating null character from source string, count (the third argument of the function) is not reached, additional null characters are written to destination string until the total of count characters have been written.
For more details about this or other properties of the 'strncpy' function, see cppreference.
This diagnostic is classified as:
You can look at examples of errors detected by the V512 diagnostic. |