mirror of
https://github.com/github/codeql.git
synced 2025-12-24 12:46:34 +01:00
34 lines
1.4 KiB
XML
34 lines
1.4 KiB
XML
<!DOCTYPE qhelp PUBLIC
|
|
"-//Semmle//qhelp//EN"
|
|
"qhelp.dtd">
|
|
<qhelp>
|
|
<overview>
|
|
<p>The bounded copy functions <code>memcpy</code>, <code>memmove</code>, <code>strncpy</code>, <code>strncat</code> accept a size argument.
|
|
You should call these functions with a size argument that is derived from the size of the destination buffer.
|
|
Using a size argument that is derived from the source buffer may cause a buffer overflow.
|
|
Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
|
|
</overview>
|
|
|
|
<recommendation>
|
|
<p>Check the highlighted function calls carefully.
|
|
Ensure that the size parameter is derived from the size of the destination buffer, and
|
|
not the source buffer.</p>
|
|
|
|
<include src="aliasAnalysisWarning.inc.qhelp" />
|
|
</recommendation>
|
|
|
|
|
|
<example>
|
|
<p>
|
|
The code below shows an example where <code>strncpy</code> is called incorrectly, without checking the size of the destination buffer.
|
|
In the second example the call has been updated to include the size of the destination buffer.</p>
|
|
|
|
<sample src="OverflowDestination.cpp" />
|
|
</example>
|
|
|
|
<references>
|
|
<li>I. Gerg. <em>An Overview and Example of the Buffer-Overflow Exploit</em>. IANewsletter vol 7 no 4. 2005.</li>
|
|
<li>M. Donaldson. <em>Inside the Buffer Overflow Attack: Mechanism, Method & Prevention</em>. SANS Institute InfoSec Reading Room. 2002.</li>
|
|
</references>
|
|
</qhelp>
|