[C-safe-secure-studygroup] checker

Roberto Bagnara bagnara at cs.unipr.it
Wed Jan 23 19:38:24 GMT 2019

On 23/01/19 19:06, Robert Seacord wrote:
> Has anyone implemented a static analysis checker that would detect when a programmer incorrectly specifies the size of the source array instead of the destination array, for example:
> void func (void) {
>    char source[] = "...";
>    char dest[N];
>    ...
>    strcpy_s(dest, sizeof source, source);
> }

The C implementation I have here does not have strcpy_s().
On a similar example with strncpy() with ECLAIR I get two
violations of MISRA C:2012 Amendment 1 Rules 21.17 and 21.18:

$ cat /tmp/p.c
#include <string.h>

void func (void) {
   char source[] = "...";
   char dest[3];

   strncpy(dest, source, sizeof(source));
$ eclair_env -enable=MC3A1.R21 -- gcc -c /tmp/p.c
/tmp/p.c:7.25-7.30: violation for rule MC3A1.R21.18 (The `size_t' argument passed to any function in `<string.h>' shall have an appropriate value.) Loc #1 [culprit: argument #3 (`sizeof' expression trait) has value 4 > 3, the minimal size of the pointer arguments]
   strncpy(dest, source, sizeof(source));
/tmp/p.c:7.11-7.14: Loc #2 [evidence: argument #1 (reference to local variable `dest') has size 3]
   strncpy(dest, source, sizeof(source));
/tmp/p.c:7.3-7.9: Loc #3 [context: call to function `strncpy(char*restrict, const char*restrict, size_t)']
   strncpy(dest, source, sizeof(source));
/tmp/p.c:7.25-7.38: caution for rule MC3A1.R21.17 (Use of the string handling functions from `<string.h>' shall not result in accesses beyond the bounds of the objects referenced by their pointer parameters.) Loc #1 [culprit: [1] Size argument is greater than the length of the destination buffer]
   strncpy(dest, source, sizeof(source));

      Prof. Roberto Bagnara

Applied Formal Methods Laboratory - University of Parma, Italy
mailto:bagnara at cs.unipr.it
                               BUGSENG srl - http://bugseng.com
                               mailto:roberto.bagnara at bugseng.com

More information about the C-safe-secure-studygroup mailing list