Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why do some static analysis tools not report potential buffer overflows?

Tags:

static-analysis

pvs-studio

I have an example of a strcpy command that seems to be a risk of a buffer overflow, but PVS-Studio doesn’t raise a warning. In my example, strcpy is used to copy a command line argument into a buffer, without checking the size of the command line argument. This could result in a buffer overflow if the argument exceeds the size of the buffer.

Code example:

char carg1[13];
int main(int argc, char* argv[])
{
// Get name from the 1st command line arg
       strcpy(carg1, argv[1]);
…
}

The size of argv[1] isn't checked before being coping into carg1. Shouldn’t this raise a warning?

like image 615
Sam Johnson Avatar asked Jan 23 '26 14:01

Sam Johnson

2 Answers

It's theoretically impossible to build a perfect static analysis tool (this follows from results like the undecidability of the halting problem). As a result, all static analysis tools are at best heuristics that can try to detect certain classes of errors, and even then can't necessarily detect all of those errors.

So yes, the code you've got above looks like it has a potential buffer overflow. I honestly don't know why this particular tool can't detect the error, but my guess is that the internal heuristics the analyzer uses for some reason is failing to detect it.

Hope this helps!

like image 198
templatetypedef Avatar answered Jan 26 '26 22:01

templatetypedef

There are 3 facts:

1) If you use Visual C++ compiler then you will receive compiler warnings 4996.

1>robust.cpp(529): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. 1> C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\include\string.h(110) : see declaration of 'strcpy'

2) PVS-Studio initially worked with Visual Studio only.

3) PVS-Studio policy is to implement diagnostic rules which are not duplicate compiler warnings.

So it is seems a logical that PVS doesn't check the case which are already was checked by Microsoft compiler for a long time already (from VS2005).

Updated: Finally PVS implemented such diagnostic rule: https://www.viva64.com/en/w/V755/print/

like image 28
Andrey Avatar answered Jan 26 '26 20:01

Andrey
Sign in to Comment

Related questions

Ignore certain files when using clang-tidy

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!