[C-safe-secure-studygroup] checker

Roberto Bagnara bagnara at cs.unipr.it
Wed Jan 23 19:38:24 GMT 2019


On 23/01/19 19:06, Robert Seacord wrote:
> Has anyone implemented a static analysis checker that would detect when a programmer incorrectly specifies the size of the source array instead of the destination array, for example:
> 
> void func (void) {
> 
>    char source[] = "...";
> 
>    char dest[N];
> 
>    ...
> 
>    strcpy_s(dest, sizeof source, source);
> 
> }


The C implementation I have here does not have strcpy_s().
On a similar example with strncpy() with ECLAIR I get two
violations of MISRA C:2012 Amendment 1 Rules 21.17 and 21.18:

$ cat /tmp/p.c
#include <string.h>

void func (void) {
   char source[] = "...";
   char dest[3];

   strncpy(dest, source, sizeof(source));
}
$ eclair_env -enable=MC3A1.R21 -- gcc -c /tmp/p.c
/tmp/p.c:7.25-7.30: violation for rule MC3A1.R21.18 (The `size_t' argument passed to any function in `<string.h>' shall have an appropriate value.) Loc #1 [culprit: argument #3 (`sizeof' expression trait) has value 4 > 3, the minimal size of the pointer arguments]
   strncpy(dest, source, sizeof(source));
                         <~~~~>
/tmp/p.c:7.11-7.14: Loc #2 [evidence: argument #1 (reference to local variable `dest') has size 3]
   strncpy(dest, source, sizeof(source));
           <~~>
/tmp/p.c:7.3-7.9: Loc #3 [context: call to function `strncpy(char*restrict, const char*restrict, size_t)']
   strncpy(dest, source, sizeof(source));
   <~~~~~>
/tmp/p.c:7.25-7.38: caution for rule MC3A1.R21.17 (Use of the string handling functions from `<string.h>' shall not result in accesses beyond the bounds of the objects referenced by their pointer parameters.) Loc #1 [culprit: [1] Size argument is greater than the length of the destination buffer]
   strncpy(dest, source, sizeof(source));
                         <~~~~~~~~~~~~>
$


-- 
      Prof. Roberto Bagnara

Applied Formal Methods Laboratory - University of Parma, Italy
mailto:bagnara at cs.unipr.it
                               BUGSENG srl - http://bugseng.com
                               mailto:roberto.bagnara at bugseng.com



More information about the C-safe-secure-studygroup mailing list