ansaurus

Question

Answer 1

+12 A:

Aside from the fact that char buf[size+1] won't compile because size is a runtime value, assuming you could build buf as a size 65 array, then memset(buf, 0, 65) would not be an overflow.

Odds are your tool is confused by your syntactic issues.

[Edit: more information]

Based on comments to my original post, I suggest the following:

#define size 64
char buf[size+1];
strcpy(buf, "");
memset(buf, 0, size+1);

I believe Rob Kennedy is correct; your tool is using the empty string initializer value as the array size rather than the static array declaration.

Randolpho 2009-02-16 15:40:25

C99 has dynamically sized arrays.

Logan Capaldo 2009-02-16 15:43:14

Really? Well color me out of the game. Clearly I haven't done C in far too long.

Randolpho 2009-02-16 15:45:20

The reason it won't compile is that you can't initialize a dynamically sized array. Dynamically sized arrays are allowed for almost 10 years now.

Rob Kennedy 2009-02-16 15:45:22

That said, the tool might not realize that. It could be using the initializer to determine the array's size.

Rob Kennedy 2009-02-16 15:57:41

That's a good point.

Randolpho 2009-02-16 19:52:45

The call to strcpy is redundant; memset will just overwrite the (empty) string anyway.

Matthew Crumley 2009-02-17 02:13:30

Flash Sheridan 2009-03-31 21:52:23

A constant expression can be evaluated during translation… may be used in any place that a constant may be.… An integer constant expression* shall have integer type and shall only have operands that are integer constants,… * An integer constant expression is used to specify… the size of an array, …

Flash Sheridan 2009-03-31 21:56:00

@Flash Sheridan: You're correct. However, when I wrote my answer, size was size_t, not #define. The question has been edited. Check the history. :)

Randolpho 2009-04-01 04:35:00

Answer 2

A:

It's legal - the buffer is big enough. The tool is warning you that size_t might be bigger than int and trying to use it as indexer may lead to unpredictable results.

sharptooth 2009-02-16 15:44:21

I don't think that's what the tool is warning about. It clearly says that the array size is 1 and that indices 0 through 64 are being used. It's not complaining about sizes of integers.

Rob Kennedy 2009-02-16 15:58:55

revised example to avoid future confusion with size_t.

Andrew 2009-02-17 00:42:41

Well, the tool shows paranoia about the array size which is not correct. This may just be a bug in the tool - the tool's source could tell for sure.The problem with size_t however is a well known one and it hits painfully in some cases especially while porting to 64-bit platforms.

sharptooth 2009-02-17 05:21:36

Answer 3

+4 A:

Assigning "" to buf[size+1] does not reset the size of buf, but it is pointless, because it is duplicating a small portion of what the subsequent memset does (and it confuses your static analysis tool - you might want to file a bug report against it).

dave-ilsw 2009-02-17 01:38:07

Answer 4

+4 A:

It is not a buffer overflow.

This is probably a cleaner way to do it. Certainly it takes less lines of code.

#define size 64
char buf[size + 1] = {0};

EvilTeach 2009-02-17 02:06:19

ansaurus

tags:

views:

answers:

Is this really a buffer overflow?

related questions