#25 False positive: Check buffer boundaries if used in a loop including recursive loops (CWE-120, CWE-20).

[Marek Küthe]

Hello,

I am currently programming a kind of client in C++, which reads from a Posix handle with the help of Boost.Asio.
I get the following message:

  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).

If I rename the function read() to start(), no error is displayed.

I have created and attached a small example:

$ flawfinder deviceclient_read.hpp
Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
Examining deviceclient_read.hpp

FINAL RESULTS:

deviceclient_read.hpp:23: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
deviceclient_read.hpp:45: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).
deviceclient_read.hpp:59: [1] (buffer) read:
Check buffer boundaries if used in a loop including recursive loops
(CWE-120, CWE-20).

ANALYSIS SUMMARY:

Hits = 3
Lines analyzed = 73 in approximately 0.00 seconds (15483 lines/second)
Physical Source Lines of Code (SLOC) = 66
Hits@level = [0] 0 [1] 3 [2] 0 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 3 [1+] 3 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 45.4545 [1+] 45.4545 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Minimum risk level = 1

Not every hit is necessarily a security vulnerability.
You can inhibit a report by adding a comment in this form:
// flawfinder: ignore
Make *sure* it's a false positive!
You can use the option --neverignore to show these.

There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.
$ flawfinder deviceclient_start.hpp
Flawfinder version 2.0.19, (C) 2001-2019 David A. Wheeler.
Number of rules (primarily dangerous function names) in C/C++ ruleset: 222
Examining deviceclient_start.hpp

FINAL RESULTS:

ANALYSIS SUMMARY:

No hits found.
Lines analyzed = 73 in approximately 0.00 seconds (38782 lines/second)
Physical Source Lines of Code (SLOC) = 66
Hits@level = [0] 0 [1] 0 [2] 0 [3] 0 [4] 0 [5] 0
Hits@level+ = [0+] 0 [1+] 0 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Hits/KSLOC@level+ = [0+] 0 [1+] 0 [2+] 0 [3+] 0 [4+] 0 [5+] 0
Minimum risk level = 1

There may be other security vulnerabilities; review your code!
See 'Secure Programming HOWTO'
(https://dwheeler.com/secure-programs) for more information.

I think this is clearly a false-positive report. The error should occur regardless of the function name or not.