snprintf 函数调用可能溢出¶
ID: cpp/overflowing-snprintf
Kind: problem
Security severity: 8.1
Severity: warning
Precision: high
Tags:
- reliability
- correctness
- security
- external/cwe/cwe-190
- external/cwe/cwe-253
Query suites:
- cpp-code-scanning.qls
- cpp-security-extended.qls
- cpp-security-and-quality.qls
调用 snprintf 的返回值是假设有足够的空间时写入缓冲区的字符数。如果操作到达缓冲区末尾,并且丢弃的字符数超过一个,则返回值将大于缓冲区大小。这会导致不正确的行为,例如
示例¶
#define BUF_SIZE (32)
int main(int argc, char *argv[])
{
char buffer[BUF_SIZE];
size_t pos = 0;
int i;
for (i = 0; i < argc; i++)
{
pos += snprintf(buffer + pos, BUF_SIZE - pos, "%s", argv[i]);
// BUF_SIZE - pos may overflow
}
}
建议¶
如果使用 snprintf 的返回值,则应始终进行检查,并考虑大于缓冲区大小的值。
示例¶
#define BUF_SIZE (32)
int main(int argc, char *argv[])
{
char buffer[BUF_SIZE];
size_t pos = 0;
int i;
for (i = 0; i < argc; i++)
{
int n = snprintf(buffer + pos, BUF_SIZE - pos, "%s", argv[i]);
if (n < 0 || n >= BUF_SIZE - pos)
{
break;
}
pos += n;
}
}
参考¶
cplusplus.com: snprintf.
Red Hat Customer Portal: The trouble with snprintf.
常见弱点枚举:CWE-190.
常见弱点枚举:CWE-253.