[splint-discuss] detecting buffer overflows

Bill Pringlemeir splint at sympatico.ca
Wed May 14 19:07:37 PDT 2008 

Try this command, "splint +strict bof_static.c". Some of the
detections that you might think are easy can do the following,

 1) Introduce many false positives.
 2) Require a lot of CPU power to track values.
 3) Add little value to realistic code samples.

The strict mode has the highest use of CPU and also introduces the
most false positives.  Choosing errors to track is an art.  You wish
to minimize false positives, not take exhorbitant CPU time and catch
the majority of common programming errors.

I think with +strict many of the errors are flagged.  There is also
'+strictposixlib' (or some such) which might have more stringent
standard library annotations.

Finally, I am not quite sure if some of your loops are infinite.  A
good warning might be "loop terminates after overflow" for some of
them.

fwiw,
Bill Pringlemeir.

On 14 May 2008, tom at electric-sheep.org wrote:

> Hello everybody, I attached a file with different C functions that
> cause an overflow (or not).
>
> I was wondering a bit about the detection of the vulnerable code.
>
> a: detected
> bof_static.c:12:2: Likely out-of-bounds store: a[5]
> bof_static.c:13:2: Likely out-of-bounds store: b[10]
>
> b: *not* detected
> no complains about the off-by-one
>
> c: detected
> bof_static.c:20:2: Possible out-of-bounds store: strcpy(a, b)
>
> d,e,g,h,i: *not* detected
> no warning about the overflow (1 and 2 bytes)
>
> f,j: detected
> here the overflows are detected, too late
>
> k: detected
> bof_static.c:55:3: Possible out-of-bounds store: b[i]
>
> l: not detected
> this one is only detected if (k) is not in the code
>
>
> In the case of (l), why is no warning displayed?
>
> Are the constraints for memset(), memcpy(), strncpy() not correct?
>
>
> Bye
> Thomas
>
>
> _______________________________________________
> splint-discuss mailing list
> splint-discuss at mail.cs.virginia.edu
> http://www.cs.virginia.edu/mailman/listinfo/splint-discuss

-- 
Keep an open  mind.  But not so open your brains  fall out.  - Kallis'
Law

More information about the splint-discuss mailing list