The analyzer detected that data is copied from a possibly tainted source to the buffer.
Such sources can be:
Here's an example:
int main(int argc, char *argv[]) { .... const size_t buf_size = 1024; char *tmp = (char *) malloc(buf_size); .... strcpy(tmp, argv[0]); .... }
If the copied data size exceeds the buffer size, the buffer overflows. To avoid this, pre-calculate the required amount of memory:
int main(int argc, char *argv[]) { .... char buffer[1024]; errno_t err = strncpy_s(buffer, sizeof(buffer), argv[0], 1024); .... }
You can also allocate memory when you need it by using the 'realloc' function. In C++, you can use all classes, like 'std::string', to work with strings.
Before C++20, you could use a C string as a receiver buffer for standard input streams ('std::cin', 'std::ifstream'):
void BadRead(char *receiver) { std::cin >> receiver; }
Fortunately, this feature was removed in C++20. Now you can use the standard library input streams only with arrays of known size. And there's an implicit limit on a maximum number of characters read.
void Exception2Cpp20() { char *buffer1 = new char[10]; std::cin >> buffer1; // Won't compile since C++20 char buffer2[10]; std::cin >> buffer2; // no overflow // max 9 chars will be read }
You can read more about this change (with examples of use) in the P0487R1 proposal to the C++20 standard.
Attackers can manipulate the value returned by some functions. If you work with those values, be extremely careful:
void InsecureDataProcessing() { char oldLocale[50]; strcpy(oldLocale, setlocale(LC_ALL, nullptr)); .... }
In this example, a fixed-size buffer is created. The 'LC_ALL' environment variable is read to this buffer. If an attacker can manipulate it, then reading this variable can lead to the buffer overflow.
The analyzer won't issue a warning if the data source is unknown:
void Exception1(int argc, char *argv[]) { char *src = GetData(); char *tmp = (char *)malloc(1024); strcpy(tmp, src); .... }
This diagnostic is classified as:
|