...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { buffer_size = 50 };
struct buffer {
size_t size;
char bufferC[buffer_size];
} buff;
/* ... */
void func(const struct buffer *buf) {
/*
* Incorrectly assumes sizeof(struct buffer) =
* sizeof(size_t) + sizeof(buff.bufferC)
*/
struct buffer *buf_cpy = (struct buffer *)malloc(
sizeof(size_t) + (buffer_size * sizeof(buff.bufferCchar) /* 1 */)
);
if (buf_cpy == NULL) {
/* Handle malloc() error */
}
/*
* With padding, sizeof(struct buffer) may be greater than
* sizeof(size_t) + sizeof(buff.bufferC), causing some data
* to be written outside the bounds of the memory allocated.
*/
memcpy(buf_cpy, buf, sizeof(struct buffer));
/* ... */
free(buf_cpy);
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { buffer_size = 50 };
struct buffer {
size_t size;
char bufferC[buffer_size];
} buff;
/* ... */
void func(const struct buffer *buf) {
struct buffer *buf_cpy =
(struct buffer *)malloc(sizeof(struct buffer));
if (buf_cpy == NULL) {
/* Handle malloc() error */
}
/* ... */
memcpy(buf_cpy, buf, sizeof(struct buffer));
/* ... */
free(buf_cpy);
}
|
...
Recommendation | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
EXP03-C | High | Unlikely | No | NoHigh | P3 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported: Astrée reports accesses outside the bounds of allocated memory. | |||||||||||
| Helix QAC |
| C0697 | |||||||||||
| LDRA tool suite |
| 578 S | Enhanced enforcement | ||||||||||
| Polyspace Bug Finder |
| PRQA QA-C_v | PRQA QA-C_v | 0697 | Partially implemented
| Checks for incorrectly computed struct size (rec. fully covered). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...