<div dir="ltr"><div dir="ltr"><div dir="ltr">Thanks, David! (and also Roberto).<div><br></div><div>On a related note,</div><div><br></div><div>when is it appropriate to use memcpy vs strcpy? </div><div><br></div><div>They are both included in the Section 7.24 String handling <string.h> of the C Standard.</div><div><br></div><div>Possible answers:</div><div>1. strcpy should be used when you are copying a string, and memcpy should only be used when copying memory</div><div>2. memcpy should be used when you know the size of the source and destination arrays without having to call strlen</div><div>Assuming array sizes are known:</div><div>3. use strcpy for small strings because memcpy is optimized for large moves and can be less efficient for small strings</div><div>4. use <span style="font-size:13px;color:rgb(36,39,41);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif">memcpy has a </span><i style="font-size:13px;margin:0px;padding:0px;border:0px;font-variant-numeric:inherit;font-variant-east-asian:inherit;font-stretch:inherit;line-height:inherit;font-family:Arial,"Helvetica Neue",Helvetica,sans-serif;vertical-align:baseline;box-sizing:inherit;color:rgb(36,39,41)">much</i><span style="font-size:13px;color:rgb(36,39,41);font-family:Arial,"Helvetica Neue",Helvetica,sans-serif"> easier time being efficient for both large and small sizes, because the size is known up front.</span> </div><div>something else?</div><div><br></div><div>I'm also sort of annoyed that the memcpy_s function only cares about the size of the destination array and apparently is unconcerned with reading beyond the bounds of the source array. Probably the same is true with other _s functions.</div><div><br></div><div>rCs</div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Wed, Jan 23, 2019 at 2:26 PM Wheeler, David A <<a href="mailto:dwheeler@ida.org">dwheeler@ida.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Robert Seacord:<br>
> Has anyone implemented a static analysis checker that would detect when a programmer incorrectly specifies the size of the source array instead of the destination array, for example:<br>
void func (void) {<br>
char source[] = "...";<br>
char dest[N];<br>
...<br>
strcpy_s(dest, sizeof source, source);<br>
<br>
}<br>
<br>
Yes. In an almost vacuous way flawfinder sometimes does that - and it’s just a lexical analyzer.<br>
<br>
Flawfinder will warn about memcpy, but *NOT* if the count is given as sizeof(first arg). Since first arg is the dest, flawfinder *will* complain if the size of the *source* array is given, since that's the wrong one. It will even complain if the source array size is smaller than the destination (it's still the wrong size to use, and things can change in the future during maintenance).<br>
<br>
--- David A. Wheeler<br>
_______________________________________________<br>
C-safe-secure-studygroup mailing list<br>
<a href="mailto:C-safe-secure-studygroup@lists.trustable.io" target="_blank">C-safe-secure-studygroup@lists.trustable.io</a><br>
<a href="https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup" rel="noreferrer" target="_blank">https://lists.trustable.io/cgi-bin/mailman/listinfo/c-safe-secure-studygroup</a><br>
</blockquote></div>