Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
langc
enum { buffer_size = 50 };

struct buffer {
  size_t size;
  char bufferC[buffer_size];
} buff;

/* ... */

void func(const struct buffer *buf) {

  /*
   * Incorrectly assumes sizeof(struct buffer) =
   * sizeof(size_t) + sizeof(buff.bufferC)
   */
  struct buffer *buf_cpy = (struct buffer *)malloc(
    sizeof(size_t) + sizeof(buff.bufferC(buffer_size * sizeof(char) /* 1 */)
  );

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  /* 
   * With padding, sizeof(struct buffer) may be greater than
   * sizeof(size_t) + sizeof(buff.bufferC), causing some data  
   * to be written outside the bounds of the memory allocated.
   */
  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

...

Code Block
bgColor#ccccff
langc
enum { buffer_size = 50 };

struct buffer {
  size_t size;
  char bufferC[buffer_size];
} buff;

/* ... */

void func(const struct buffer *buf) {

  struct buffer *buf_cpy = 
    (struct buffer *)malloc(sizeof(struct buffer));

  if (buf_cpy == NULL) {
    /* Handle malloc() error */
  }

  /* ... */

  memcpy(buf_cpy, buf, sizeof(struct buffer));

  /* ... */

  free(buf_cpy);
}

...

Partially implemented

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported: Astrée reports accesses outside the bounds of allocated memory.
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C0697
LDRA tool suite
Include Page
LDRA_V
LDRA_V

578 S

Enhanced enforcement

PRQA QA-C
Include Page
PRQA QA-C_vPRQA QA-C_v0697

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...