[cfe-commits] [PATCH] review request: strcpy() security checker CWE-119
Marshall Clow
mclow.lists at gmail.com
Thu Mar 31 13:05:42 PDT 2011
On Mar 31, 2011, at 12:34 PM, Lenny Maiorani wrote:
> While I am at it, poking around in the string functions, here is a security syntax checker for strcpy() which causes the Static Analyzer to generate a warning any time the strcpy() function is used with a note suggesting to use a function which provides bounded buffers.
>
> I included in the warning description the CWE number. Is this useful?
>
> Should the warning description also contain suggestions like strncpy() and strlcpy()? Since there are a number of options I left that suggestion out in leiu of the CWE number.
Can you check and see if the source is a literal constant, and the size of the destination is big enough, and in that case not issue the warning?
char buffer[10];
strcpy ( buffer, "Hi Mom!" );
should not trigger a warning.
-- Marshall
P.S. I think it's great that you're adding these!
More information about the cfe-commits
mailing list