C++ Compiler with a -Wwarn-use-of-strcpy or similar option??

[Paul Sheer]

I need to automatically search and replace all fixed size
buffer strcpy's with strncpy's (or better yet, strlcpy's)
as a security and stability audit. The code base is large
and it is not feasable to manually perform these changes.

I would like perhaps a C++ parser that can automatically
detect use of a strcpy to a buffer of fixed size. For instance,

struct x {
char member[128];
}
...
struct x X;
...
strcpy (X.member, p); /* <-- should generate a warning here */

but

struct x {
char *member;
}
...
struct x X;
...
strcpy (X.member, p); /* <-- should NOT generate a warning */

(The second case is too complex to fix at this point.)



Is there any way of doing this? Our code is C++ (not C) and I
have, for example, looked at

http://codeworker.free.fr/ScriptsRepository.html

but this does not seem to provide an easy solution.

I am anticipating writing a script that can search and replace
"strcpy (x.member, p);" with "strlcpy (x.member, p, sizeof(x.member));"
provided the script can be guaranteed that the replacement is valid
(and I suppose only a full C++ parser would know if it is valid).

Can GCC be modified to give such a warning?

thanks

-paul

 

[Christian Bau]

I need to automatically search and replace all fixed size
buffer strcpy's with strncpy's (or better yet, strlcpy's)
as a security and stability audit. The code base is large
and it is not feasable to manually perform these changes.

1. Replacing strcpy with strncpy is a very bad idea. Where strcpy
overwrites memory, strncpy will create char arrays that are not C
strings.

2. If you perform these changes automatically using some tool then
security will go _down_. Of course, if your intention is only to make
management happy and have a check on a checklist, fine. If you want your
software to be secure and stable, do it by hand.

My recommendation: Take the whole source code. Give it to two separate
programmers. Let them discuss very carefully between them how to make
changes. Then each one goes ahead and makes the necessary changes. When
they are done, you compare the results and clean up any differences.

This is the fastest and safest method to actually get a safer and more
stable program.

 

[Louis Krupp]

I need to automatically search and replace all fixed size
buffer strcpy's with strncpy's (or better yet, strlcpy's)
as a security and stability audit. The code base is large
and it is not feasable to manually perform these changes.

I would like perhaps a C++ parser that can automatically
detect use of a strcpy to a buffer of fixed size. For instance,

struct x {
char member[128];
}
...
struct x X;
...
strcpy (X.member, p); /* <-- should generate a warning here */

but

struct x {
char *member;
}
...
struct x X;
...
strcpy (X.member, p); /* <-- should NOT generate a warning */

(The second case is too complex to fix at this point.)



Is there any way of doing this? Our code is C++ (not C) and I
have, for example, looked at

http://codeworker.free.fr/ScriptsRepository.html

but this does not seem to provide an easy solution.

I am anticipating writing a script that can search and replace
"strcpy (x.member, p);" with "strlcpy (x.member, p, sizeof(x.member));"
provided the script can be guaranteed that the replacement is valid
(and I suppose only a full C++ parser would know if it is valid).

No guarantees, and not as impressive as your patch to gcc, but here are
some ideas for a script (possibly in Perl) to fix one-line calls to strcpy:

Pass 1:

Substitute "char member[" with "char __member[" (or some other
distinctive decoration of "member").

When you find "strcpy(__member ...", replace that pattern with
"strlcpy(member ..." and ");" with ", sizeof(member));". If the line
doesn't contain the second pattern, it's a multiline call; you may want
to fix those by hand, or write a smarter script.

Pass 2:

Substitute all remaining occurrences of "__member" with "member".

As an alternative (since this is C++), you *might* consider writing a
character array class which knows its own length, overwriting assignment
to call strlcpy, and replacing "strcpy(__member ..." by "member = " and
(on the same line) ");" by ";".

Louis Krupp

 

[Ken Rose]

I need to automatically search and replace all fixed size
buffer strcpy's with strncpy's (or better yet, strlcpy's)
as a security and stability audit. The code base is large
and it is not feasable to manually perform these changes.

Can GCC be modified to give such a warning?

GCC has a way to "poison" an identifier. I'm not finding it in a
quick perusal of the info pages, but I remember encountering it when
upgrading a port from gcc2 to gcc3.

It produces an error, not a warning, when the code attempts to use the
poisoned identifier.

Ahhh. Here it is (grepping the source)

#pragma GCC poison <ident>

Actually, it looks like it's just in g++.

Good luck - sorry about the incoherent post.

- ken

 

[Paul Sheer]

1. Replacing strcpy with strncpy is a very bad idea. Where strcpy

overwrites memory, strncpy will create char arrays that are not C
strings.

Well, strncpy with a terminating assignment afterward. or of course
strlcpy

2. If you perform these changes automatically using some tool then
security will go _down_.

Only if the tool is not intelligent enough to only do replacements in
cases where the array size is fixed.

My recommendation: Take the whole source code. Give it to two
separate programmers. Let them discuss very carefully between them
how to make

This Is Exactly What I Don'T Want

Either the tool must be intelligent to make the changes without
errors, or there is no point.

See this thread on comp.lang.c++ .....

-paul