[cfe-dev] [PATCH] Bug 18412 - Warn on scanf string format no field limits

Justin Bogner mail at justinbogner.com
Thu Jan 30 18:43:00 PST 2014

Zach Davis <zdavkeos at gmail.com> writes:
> I have been working on a patch for bug 18412 "CVE-2013-6462:
> scanf %s should always have field limits" and was hoping to get
> some comments.
> The patch generates a bug report when a *scanf function uses %s
> without a field width.  It generates a warning from the compiler
> rather than the static analyzer as proposed in the bug report.
> Questions:
> - Is this a desirable feature (vs. the static analyzer)?
> - Will the false-positive rate be too high?

I suspect that this warning will trigger quite often on code in the
wild. Have you tried compiling any large code bases with this? That's
generally a good way to get an idea of the false positive rate.

> - The warning currently falls under the "FormatSecurity" group,
>   which seems ok except that "FormatSecurity" also falls under
>   the "format-nonliteral" category which is making many unittests
>   fail. Is this behavior intentional?
> Example:
> 18412.c:9:27: warning: no field width in scanf string format specifier
> (potentially insecure)
>   if (sscanf(line, "name: %s", name) != 1) {
>                           ^~
> Zach

More information about the cfe-dev mailing list