[cfe-dev] [PATCH] Bug 18412 - Warn on scanf string format no field limits
Justin Bogner
mail at justinbogner.com
Thu Jan 30 18:43:00 PST 2014
Zach Davis <zdavkeos at gmail.com> writes:
> I have been working on a patch for bug 18412 "CVE-2013-6462:
> scanf %s should always have field limits" and was hoping to get
> some comments.
>
> The patch generates a bug report when a *scanf function uses %s
> without a field width. It generates a warning from the compiler
> rather than the static analyzer as proposed in the bug report.
>
> Questions:
> - Is this a desirable feature (vs. the static analyzer)?
> - Will the false-positive rate be too high?
I suspect that this warning will trigger quite often on code in the
wild. Have you tried compiling any large code bases with this? That's
generally a good way to get an idea of the false positive rate.
> - The warning currently falls under the "FormatSecurity" group,
> which seems ok except that "FormatSecurity" also falls under
> the "format-nonliteral" category which is making many unittests
> fail. Is this behavior intentional?
>
> Example:
>
> 18412.c:9:27: warning: no field width in scanf string format specifier
> (potentially insecure)
> if (sscanf(line, "name: %s", name) != 1) {
> ^~
>
> Zach
More information about the cfe-dev
mailing list