hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 19:55:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: add cpp/very-likely-overruning-write help

Browse Source 
Also update the help of `cpp/overruning-write`, as the case shown there
will actually not be flagged by that query any more.
This commit is contained in:
Paolo Tranquilli
2021-12-14 11:17:29 +00:00
committed by GitHub
parent b979f02e5d
commit 10b62154a1
2 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.c
View File

@@ -1,9 +1,9 @@
void sayHello()
void sayHello(uint32_t userId)
{
char buffer[10];
char buffer[18];
// BAD: this message overflows the buffer
strcpy(buffer, "Hello, world!");
// BAD: this message overflows the buffer if userId >= 10000
sprintf(buffer, "Hello, user %d!", userId);
MessageBox(hWnd, buffer, "New Message", MB_OK);
}

10
cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.qhelp
View File

@@ -13,13 +13,13 @@
<example>
<sample src="OverrunWrite.c" />
<p>In this example, the call to <code>strcpy</code> copies a message of 14 characters (including the terminating null) into a buffer with space for just 10 characters. As such, the last four characters overflow the buffer resulting in undefined behavior.</p>
<p>In this example, the call to <code>sprintf</code> writes a message of 14 characters (including the terminating null) plus the length of the string conversion of `userId` into a buffer with space for just 18 characters. As such, if `userId` is greater or equal to `10000`, the last characters overflow the buffer resulting in undefined behavior.</p>
<p>To fix this issue three changes should be made:</p>
<p>To fix this issue one of three changes should be made:</p>
<ul>
<li>Control the size of the buffer using a preprocessor define.</li>
<li>Replace the call to <code>strcpy</code> with <code>strncpy</code>, specifying the define as the maximum length to copy. This will prevent the buffer overflow.</li>
<li>Consider increasing the buffer size, say to 20 characters, so that the message is displayed correctly.</li>
<li>Preferably, replace the call to <code>sprintf</code> with <code>snprintf</code>, specifying a define or `sizeof(buffer)` as maximum length to copy. This will prevent the buffer overflow.</li>
<li>If `userId` is expected to be less than `10000`, then return or throw an error if `userId` is out of bounds.</li>
<li>Consider increasing the buffer size to at least 25 characters, so that the message is displayed correctly regardless of the value of `userId`.</li>
</ul>
</example>