1

I am wondering if it's possible to detect this kind of buffer overflow somehow in Windows. Buffer is global ( not on stack ) so /RTC in Visual Studio 2008, VS2012 is not checking it. MinGW gcc also failed.

#include <stdio.h>
char buffer[2];
void main()
{
  sprintf(buffer,"12345");
}

My first thought was static analysis.

  1. VS2012 Code Analysis : nothing
  2. CppCheck: nothing
  3. PCLint Online: nothing ( http://www.gimpel-online.com/OnlineTesting.html )
  4. PVS-Studio: nothing

another solution is to use _s version.

#include <stdio.h>
char buffer[2];
void main()
{
  sprintf_s(buffer, sizeof(buffer), "12345");
}

but with code looking like that 

#include <stdio.h>
char buffer[2];
void main()
{
  sprintf_s(buffer, 20, "12345");
}

there is still same problem of not detected buffer overrun.

Is is possible to use memory guard, canaries on global data ( like on stack ) as well or resolve this problem using better Static,Dynamic Analysis?

bataliero1234
  • 145
  • 10
  • Maybe will be more correct to use the sizeof() macro: sprintf_s(buffer, sizeof(buffer), "12345"); – angeek86 Mar 27 '14 at 14:13
  • @angeek86 : `sizeof` is an operator not a macro. The wuestion is about finding code errors; while prevention and good coding practice is advised, the question here is how to detect careless coding errors rather than how to avoid the problem in the first place. It is not lost on me that my own answer is about avoidance rather than detection - which is why it is justifiably not the "accepted" answer. – Clifford Mar 28 '14 at 11:05
  • There is a solution but only for linux, gcc with -O2 and -D_FORTIFY_SOURCE=2. Output generated is "*** buffer overflow detected ***" – bataliero1234 Sep 19 '15 at 09:43

4 Answers4

3

I am a Cppcheck developer. Cppcheck should easily detect that. What Cppcheck version did you use? Latest Cppcheck version is 1.64.

Here is the expected output when cppcheck-1.64 is used:

danielm@HP-Z220-2CMT:~/cppcheck$ ./cppcheck a.c 
Checking a.c...
[a.c:5]: (error) Buffer is accessed out of bounds.
Daniel Marjamäki
  • 2,907
  • 15
  • 16
  • It would be useful if @bataliero1234 could answer your question about what version was used, and whether the problem was truly cppcheck and not user error. – Clifford Mar 28 '14 at 10:58
  • 1
    That was my mistake, I've used code with secure version during cppcheck test. char buffer[2]; sprintf_s(buffer, 20, "12345"); Now I see, without _s all is correct and message is "Buffer is accessed out of bounds" – bataliero1234 Mar 28 '14 at 11:02
2

As the question is tagged C++, the simple solution to avoid the issue altogether and not use the intrinsically unsafe C library at all, but rather use a std::ostringstream object.

#include <sstream>

std::ostringstream buffer ;

int main() 
{
    buffer << "12345" ;
}
Clifford
  • 88,407
  • 13
  • 85
  • 165
  • Agree. There a lot of ways to improve safety when you use C++, but for these simple cases the best solution is a straightforward replacement. – MSalters Mar 28 '14 at 09:28
0

Coverity's secure coding checker (SECURE_CODING) will catch this sort of bug. See this link.

Throwback1986
  • 5,887
  • 1
  • 30
  • 22
0

You can use gflags that comes with Windows SDK:

http://msdn.microsoft.com/en-us/library/windows/hardware/ff543097%28v=vs.85%29.aspx

you register your app with gflags.exe:

 gflags /p /enable pheap-buggy.exe

and during program execution it will throw exceptions if you read/write outside array boundary, which can be caught in VS debugger.

But unfortunately gflags is for Windows Desktop, so it is of use only if you can build your app also for desktop - which actually makes development a lot easier.

marcinj
  • 48,511
  • 9
  • 79
  • 100