[PATCH] Bug 18412 - Warn on scanf string format no field limits

Hi all-

I have been working on a patch for bug 18412 “CVE-2013-6462:
scanf %s should always have field limits” and was hoping to get
some comments.

The patch generates a bug report when a *scanf function uses %s
without a field width. It generates a warning from the compiler
rather than the static analyzer as proposed in the bug report.

Questions:

  • Is this a desirable feature (vs. the static analyzer)?
  • Will the false-positive rate be too high?
  • The warning currently falls under the “FormatSecurity” group,
    which seems ok except that “FormatSecurity” also falls under
    the “format-nonliteral” category which is making many unittests
    fail. Is this behavior intentional?

Example:

18412.c:9:27: warning: no field width in scanf string format specifier (potentially insecure)
if (sscanf(line, “name: %s”, name) != 1) {
^~

Zach

18412.patch (1.66 KB)

Zach Davis <zdavkeos@gmail.com> writes:

I have been working on a patch for bug 18412 "CVE-2013-6462:
scanf %s should always have field limits" and was hoping to get
some comments.

The patch generates a bug report when a *scanf function uses %s
without a field width. It generates a warning from the compiler
rather than the static analyzer as proposed in the bug report.

Questions:
- Is this a desirable feature (vs. the static analyzer)?
- Will the false-positive rate be too high?

I suspect that this warning will trigger quite often on code in the
wild. Have you tried compiling any large code bases with this? That's
generally a good way to get an idea of the false positive rate.