如何改进漏洞发现者 memset 警告的代码?
[英]How to improve code around flawfinder memset warning?
问题描述
In my code, all calls to memset appear as warnings with the flawfinder tool .
在我的代码中,所有对memset的调用都显示为使用flawfinder工具的警告。
In the simplest case it could boil down to the equivalent to在最简单的情况下,它可以归结为等价于
float f1;
float f2;
void* p1 = &f1;
void* p2 = &f2;
memcpy(p1, p2, sizeof(float));
The message is消息是
./file.cpp:10: [2] (buffer) memcpy:
Does not check for buffer overflows when copying to destination (CWE-120).
Make sure destination can always hold the source data.
I absolutely understand that this could be replaced by a simple copy, this is just a simplified example.我完全理解这可以用一个简单的副本代替,这只是一个简化的例子。 I also understand what are the potential problems with using memcpy and buffer overrun.我也了解使用 memcpy 和缓冲区溢出的潜在问题。
The question is what is exactly flawfinder asking me to do here?问题是探痕者到底要我在这里做什么?
Perhaps something like adding an assert ?也许像添加assert类的东西? (this didn't suppress the warning) (这并没有抑制警告)
assert( sizeof(*p1) == sizeof(*p2) );
memcpy(p1, p2, sizeof(float));
Or is it just telling me just don't use memset ?还是只是告诉我不要使用memset ?
I am programming in C++, but I am pretty sure the question and the solution is common to both C and C++ languages.我正在用 C++ 编程,但我很确定这个问题和解决方案对于 C 和 C++ 语言都是通用的。
1 个解决方案
解决方案1
1 2021-12-03 21:28:27
errno_t err = memcpy_s(dest, dsize, src, cnt);
that should be the 'safe' version which hopefully satisfies flawfinder那应该是“安全”版本,希望能满足漏洞发现者
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.