如何解决Flawfinder检测到的修复CWE-120,CWE-20
有人要求我用Flawfinder分析一些C代码:
char * buffer;
size_t len;
// my_fd is a file descriptor
read(my_fd,&len,sizeof(len));
buffer = malloc(len + 1);
read(my_fd,buffer,len);
buffer[len] = '\0';
我在阅读2时收到以下警告:
test.c:xx: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120,CWE-20).
test.c:xx: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120,CWE-20).
char * buffer;
size_t len;
// my_fd is a file descriptor
ssize_t ret = read(my_fd,sizeof(len));
if (ret == -1 || ret != sizeof len) {
buffer = NULL;
} else {
buffer = malloc(len + 1);
ret = read(my_fd,len);
buffer[ret] = '\0';
}
free(buffer);
但是仍然可以检测到漏洞。我想念什么?
更新#1:
我根据@ 4386427建议更新了该功能,同时检查了read()
和malloc()
:
char * buffer = NULL;
size_t len;
ssize_t ret = read(my_fd,sizeof(len));
if (ret == sizeof len)
{
buffer = malloc(len + 1);
if (buffer != NULL)
{
ret = read(my_fd,len);
if (ret == len)
{
buffer[ret] = '\0';
}
free(buffer);
}
}
但是什么都没有改变,我该如何进一步提高安全性?
更新#2
因为Flawfinder仅进行模式检查,并且因为似乎无法进行更多改进,所以只能进行模式检查。此时,我将这些错误标记为误报。
解决方法
我在您的最后一个代码片段中看到两个地方,您无法正确处理返回值。 1)您不检查malloc
2)您不检查已读
尝试:
char * buffer;
size_t len;
// my_fd is a file descriptor
ssize_t ret = read(my_fd,&len,sizeof(len));
if (ret != sizeof len) {
buffer = NULL;
} else {
buffer = malloc(len + 1);
if (buffer != NULL) // Check that malloc was ok
{
ret = read(my_fd,buffer,len);
if (ret == -1) // Check that read was ok
{
// error handling....
//
// for now just do:
ret = 0;
}
else if (ret != len)
{
// Didn't get as much data as expected
//
// Add some error handling....
}
buffer[ret] = '\0';
}
}
free(buffer);
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。