You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 lines
1.7 KiB
45 lines
1.7 KiB
Buffer overrun reports fall into several "buckets" corresponding to the expected precision of the
|
|
report. The higher the number, the more likely it is to be a false positive.
|
|
|
|
* `L1`: The most faithful report, when it *must* be unsafe. For example, array size: `[5,5]`,
|
|
offset: `[3,3]`.
|
|
|
|
* `L2`: Less faithful report than `L1`, when it *may* be unsafe. For example, array size:`[5,5]`,
|
|
offset: `[0,5]`. Note that the offset may be a safe value in the real execution, i.e. 0, 1, 2,
|
|
3, 4.
|
|
|
|
* `L5`: The least faithful report, when there is an interval top. For example, array size:
|
|
`[5,5]`, offset: `[-oo,+oo]`.
|
|
|
|
* `L4`: More faithful report than `L5`, when there is an infinity value. For example, array size:
|
|
`[5,5]`, offset: `[0, +oo]`.
|
|
|
|
* `L3`: The reports that are not included in the above cases.
|
|
|
|
Other than them, there are some specific-purpose buffer overrun reports as follows.
|
|
|
|
* `R2`: An array access is unsafe by *risky* array values from `strndup`. For example, suppose
|
|
there is a `strndup` call as follows.
|
|
|
|
```c
|
|
char* s1 = (char*)malloc(sizeof(char) * size);
|
|
for (int i = 0; i < size; i++) {
|
|
s1[i] = 'a';
|
|
}
|
|
s1[5] = '\0';
|
|
char* s2 = strndup(s1, size - 1);
|
|
s2[size - 1] = 'a';
|
|
```
|
|
|
|
Even if the second parameter of `strndup` is `size - 1`, the length of `s2` can be shorter than
|
|
`size` if there is the null character in the middle of `s1`.
|
|
|
|
* `S2`: An array access is unsafe by symbolic values. For example, array size: `[n,n]`, offset
|
|
`[n,+oo]`.
|
|
|
|
* `T1`: An array access is unsafe by tainted external values. This is experimental and will be
|
|
removed sooner or later.
|
|
|
|
* `U5`: An array access is unsafe by unknown values, which are usually from unknown function
|
|
calls.
|