False positive: Check buffer boundaries if used in a loop including...
Finds vulnerabilities in C/C++ source code
Brought to you by:
dwheeler
Hello,
I am currently programming a kind of client in C++, which reads from a Posix handle with the help of Boost.Asio.
I get the following message:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
If I rename the function read()
to start()
, no error is displayed.
I have created and attached a small example:
$ flawfinder deviceclient_read.hpp
Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
Examining deviceclient_read.hpp
FINAL RESULTS:
deviceclient_read.hpp:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
deviceclient_read.hpp:45: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
deviceclient_read.hpp:59: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
ANALYSIS SUMMARY:
Hits = 3
Lines analyzed = 73 in approximately 0.00 seconds (15483 lines/second)
Physical Source Lines of Code (SLOC) = 66
Hits@level = [0] 0 [1] 3 [2] 0 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 3 [1+] 3 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 45.4545 [1+] 45.4545 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Minimum risk level = 1
Not every hit is necessarily a security vulnerability.
You can inhibit a report by adding a comment in this form:
// flawfinder: ignore
Make *sure* it's a false positive!
You can use the option --neverignore to show these.
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.
$ flawfinder deviceclient_start.hpp
Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
Examining deviceclient_start.hpp
FINAL RESULTS:
ANALYSIS SUMMARY:
No hits found.
Lines analyzed = 73 in approximately 0.00 seconds (38782 lines/second)
Physical Source Lines of Code (SLOC) = 66
Hits@level = [0] 0 [1] 0 [2] 0 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 0 [1+] 0 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 0 [1+] 0 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Minimum risk level = 1
There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.
I think this is clearly a false-positive report. The error should occur regardless of the function name or not.