[cfe-dev] [PATCH] Bug 18412 - Warn on scanf string format no field limits

Zach Davis zdavkeos at gmail.com
Thu Jan 30 14:35:31 PST 2014


Hi all-

I have been working on a patch for bug 18412 "CVE-2013-6462:
scanf %s should always have field limits" and was hoping to get
some comments.

The patch generates a bug report when a *scanf function uses %s
without a field width.  It generates a warning from the compiler
rather than the static analyzer as proposed in the bug report.

Questions:
- Is this a desirable feature (vs. the static analyzer)?
- Will the false-positive rate be too high?
- The warning currently falls under the "FormatSecurity" group,
  which seems ok except that "FormatSecurity" also falls under
  the "format-nonliteral" category which is making many unittests
  fail. Is this behavior intentional?

Example:

18412.c:9:27: warning: no field width in scanf string format specifier
(potentially insecure)
  if (sscanf(line, "name: %s", name) != 1) {
                          ^~

Zach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140130/96f44a80/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 18412.patch
Type: application/octet-stream
Size: 1700 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140130/96f44a80/attachment.obj>


More information about the cfe-dev mailing list