0

I have a char array defined like this

char buffer[100];

When I run Flawfinder scan for hits I get the one says:

(buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.

I know I have to do the checks when needed to make sure my code will be exceptions free but do we have any way to solve this (define a char array in other ways) and make the Flawfindr output without any hit?

UPDATE

Here's the full code of the function in case it would help

std::string MyClass::randomGenerator(odb::nullable<int> maxLength) {
    
    struct timeval tmnow;
    
    struct tm *tm;
    
    char buf[100];
    
    gettimeofday(&tmnow, NULL);
    
    tm = localtime(&tmnow.tv_sec);
    
    strftime(buf, 100, "%m%d%H%M%S", tm);
    
    string micro = std::to_string(((int)tmnow.tv_usec / 10000));
    
    strlcat(buf, micro.c_str(), sizeof(buf));
    
    std::stringstream stream;
    
    stream << std::hex << stoll(buf);
    
    std::string result(stream.str());
    
    Utilities::find_and_replace(result, "0", "h");
    
    Utilities::find_and_replace(result, "1", "k");
    
    std::transform(result.begin(), result.end(),result.begin(), ::toupper);
    
    if (maxLength) {
        
        return result.substr(result.size() - maxLength.get(), result.size() - 1);
        
    } else {
        
        return result ;
        
    }
    
}
Mazen Ak
  • 152
  • 7
  • 1
    Hitting a single char array like that isn't enough to trigger a warning, do you also have some code that accesses this array? Declaring a dynamic array like std::vector<> just to avoid some warning is overkill when you follow proper coding. – Michael Chourdakis Jul 18 '20 at 14:36
  • `std::string`, you know it makes sense. – john Jul 18 '20 at 14:39
  • I don't think the rest of my code is triggering the warning but I will update the question and add the full code, and you're right with the dynamic array point. @MichaelChourdakis – Mazen Ak Jul 18 '20 at 14:40
  • Yes, but I need to have it as `char array` @john – Mazen Ak Jul 18 '20 at 14:40
  • @MazenAk Why? There's rarely a good reason for that. – john Jul 18 '20 at 14:45
  • Actually, just to maintain the code we have. I'm trying as much as I can to not change the old codes we have. @john – Mazen Ak Jul 18 '20 at 14:46
  • @MazenAk OK, that is (sometimes) a good reason. But in my experience it is often managers who are reluctant to sanction code changes, while programmers want to make the code as good as possible. But it is a judgement call. – john Jul 18 '20 at 14:48
  • Indeed, in the end if I couldn't be able to solve this, then I have to refactor the function and make it as good as possible. @john – Mazen Ak Jul 18 '20 at 14:51
  • @john heap allocations are not cheap. – Michael Chourdakis Jul 18 '20 at 14:52

1 Answers1

0

Flawfinder is really a slightly glorified grep - it's not a true static-analysis tool that does data flow analysis, so I have always taken its output with a healthy dose of salt!

The way you should really write this code is to write true C++ code rather than glorified-C using C runtime functions, which are absolutely subject to memory corruption issues.

MichaelHoward-MSFT
  • 269
  • 1
  • 6