samedi 18 juillet 2020

Flawfinder (CWE-119!/CWE-120) for char array C++

I have a char array defined like this

char buffer[100];

When I run Flawfinder scan for hits I get the one says:

(buffer) char:
  Statically-sized arrays can be improperly restricted, leading to potential
  overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use
  functions that limit length, or ensure that the size is larger than the
  maximum possible length.

I know I have to do the checks when needed to make sure my code will be exceptions free but do we have any way to solve this (define a char array in other ways) and make the Flawfindr output without any hit?

UPDATE

Here's the full code of the function in case it would help

std::string MyClass::randomGenerator(odb::nullable<int> maxLength) {
    
    struct timeval tmnow;
    
    struct tm *tm;
    
    char buf[100];
    
    gettimeofday(&tmnow, NULL);
    
    tm = localtime(&tmnow.tv_sec);
    
    strftime(buf, 100, "%m%d%H%M%S", tm);
    
    string micro = std::to_string(((int)tmnow.tv_usec / 10000));
    
    strlcat(buf, micro.c_str(), sizeof(buf));
    
    std::stringstream stream;
    
    stream << std::hex << stoll(buf);
    
    std::string result(stream.str());
    
    Utilities::find_and_replace(result, "0", "h");
    
    Utilities::find_and_replace(result, "1", "k");
    
    std::transform(result.begin(), result.end(),result.begin(), ::toupper);
    
    if (maxLength) {
        
        return result.substr(result.size() - maxLength.get(), result.size() - 1);
        
    } else {
        
        return result ;
        
    }
    
}

Aucun commentaire:

Enregistrer un commentaire