[splint-discuss] detecting buffer overflows
Thomas
tom at electric-sheep.org
Wed May 14 07:33:18 PDT 2008
Hello everybody,
I attached a file with different C functions that cause an overflow (or not).
I was wondering a bit about the detection of the vulnerable code.
a: detected
bof_static.c:12:2: Likely out-of-bounds store: a[5]
bof_static.c:13:2: Likely out-of-bounds store: b[10]
b: *not* detected
no complains about the off-by-one
c: detected
bof_static.c:20:2: Possible out-of-bounds store: strcpy(a, b)
d,e,g,h,i: *not* detected
no warning about the overflow (1 and 2 bytes)
f,j: detected
here the overflows are detected, too late
k: detected
bof_static.c:55:3: Possible out-of-bounds store: b[i]
l: not detected
this one is only detected if (k) is not in the code
In the case of (l), why is no warning displayed?
Are the constraints for memset(), memcpy(), strncpy() not correct?
Bye
Thomas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bof_static.c
Type: text/x-csrc
Size: 1057 bytes
Desc: not available
Url : http://www.cs.virginia.edu/pipermail/splint-discuss/attachments/20080514/5beef11c/attachment.bin
More information about the splint-discuss
mailing list