On Mar 31, 2011, at 12:34 PM, Lenny Maiorani wrote:
> While I am at it, poking around in the string functions, here is a security
> syntax checker for strcpy() which causes the Static Analyzer to generate a
> warning any time the strcpy() function is used with a note suggesting to use
> a function which provides bounded buffers.
>
> I included in the warning description the CWE number. Is this useful?
>
> Should the warning description also contain suggestions like strncpy() and
> strlcpy()? Since there are a number of options I left that suggestion out in
> leiu of the CWE number.
Can you check and see if the source is a literal constant, and the size of the
destination is big enough, and in that case not issue the warning?
char buffer[10];
strcpy ( buffer, "Hi Mom!" );
should not trigger a warning.
-- Marshall
P.S. I think it's great that you're adding these!
_______________________________________________
cfe-commits mailing list
[email protected]
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
