Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5782

POSIX functions should not be called with arguments that trigger buffer overflows

    XMLWordPrintable

    Details

    • Message:
      "vsnprintf" overflows write buffer "rawData()..."; passed size "blabla..." (256) exceeds buffer size (14)
    • Default Severity:
      Blocker
    • Impact:
      High
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way, MISRA C++ 2008 recommended
    • Covered Languages:
      C, C++, Objective-C
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5 min
    • Analysis Scope:
      Main Sources, Test Sources
    • Implementation details:
    • CERT:
      STR50-CPP., ARR30-C.
    • CWE:
      CWE-119, CWE-131, CWE-788
    • OWASP:
      A9

      Description

      Array overruns and buffer overflows happen when memory access accidentally goes beyond the boundary of the allocated array or buffer. These overreaching accesses cause some of the most damaging, and hard to track defects.

      When the buffer overflow happens while reading a buffer, it can expose sensitive data that happens to be located next to the buffer in memory. When it happens while writing a buffer, it can be used to inject code or to wipe out sensitive memory.

      This rule detects when a POSIX function takes one argument that is a buffer and another one that represents the size of the buffer, but the two arguments do not match.

      Noncompliant Code Example

      char array[10];
      initialize(array);
      void *pos = memchr(array, '@', 42); // Noncompliant, buffer overflow that could expose sensitive data 
      

      Compliant Solution

      char array[10];
      initialize(array);
      void *pos = memchr(array, '@', 10);
      

      See

      Exceptions

      Functions related to sockets using the type socklen_t are not checked. This is because these functions are using a C-style polymorphic pattern using union. It relies on a mismatch between allocated memory and sizes of structures and it creates false positives.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated: