-
Notifications
You must be signed in to change notification settings - Fork 65
/
Copy pathunsafe-ret-strlcpy-strlcat.yaml
31 lines (31 loc) · 1.13 KB
/
unsafe-ret-strlcpy-strlcat.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
rules:
- id: raptor-unsafe-ret-strlcpy-strlcat
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
references:
- https://lwn.net/Articles/507319/
- https://g.co/kgs/PCHQjJ
confidence: MEDIUM
message: >-
The strlcpy() and strlcat() functions return the total length of the
string they tried to create. For strlcpy() that means the length of
the source string. For strlcat() that means the initial length of the
destination string plus the length of of the source string.
Therefore, this return value can be larger than the size of the
destination buffer. If it is used unsafely, e.g. as an index to write
to the destination buffer, memory corruption might occur.
severity: WARNING
languages:
- c
- cpp
pattern-either:
# =
- pattern: $RET = strlcpy(...)
- pattern: $RET = strlcat(...)
- pattern: $RET = wcslcpy(...)
- pattern: $RET = wcslcat(...)
# +=
- pattern: $RET += strlcpy(...)
- pattern: $RET += strlcat(...)
- pattern: $RET += wcslcpy(...)
- pattern: $RET += wcslcat(...)