Subject: [Boost-bugs] [Boost C++ Libraries] #13218: Xcode 8/9 static analyzer warning in socket_ops.ipp:2023:5: function 'strcat' is insecure. CWE-119
From: Boost C++ Libraries (noreply_at_[hidden])
Date: 2017-09-19 21:03:31
#13218: Xcode 8/9 static analyzer warning in socket_ops.ipp:2023:5: function
'strcat' is insecure. CWE-119
------------------------------+----------------------------
Reporter: mark_hastings@… | Owner: chris_kohlhoff
Type: Bugs | Status: new
Milestone: To Be Determined | Component: asio
Version: Boost 1.65.0 | Severity: Problem
Keywords: |
------------------------------+----------------------------
The warning generated on macOS by the Xcode 9 static analyzer for files
that #include asio.hpp is:
In file included from /mnt/boost/asio.hpp:21:
In file included from /mnt/boost/asio/basic_datagram_socket.hpp:21:
In file included from /mnt/boost/asio/datagram_socket_service.hpp:30:
In file included from
/mnt/boost/asio/detail/reactive_socket_service.hpp:30:
In file included from
/mnt/boost/asio/detail/reactive_socket_accept_op.hpp:24:
In file included from /mnt/boost/asio/detail/socket_holder.hpp:20:
In file included from /mnt/boost/asio/detail/socket_ops.hpp:333:
/mnt/boost/asio/detail/impl/socket_ops.ipp:2023:5: warning: Call to
function 'strcat' is insecure as it does not provide bounding of the
memory buffer. Replace unbounded copy functions with analogous functions
that support length arguments such as 'strlcat'. CWE-119
Since a lot of our files include asio.hpp, we see this warning over and
over again. And unfortunately I know of no way to suppress this issue, so
I'm hoping you can adjust the implementation to use strlcpy. Some of the
other layers in Boost seem to have done this already, so maybe you don't
have to re-invent the wheel.
-- Ticket URL: <https://svn.boost.org/trac10/boost/ticket/13218> Boost C++ Libraries <http://www.boost.org/> Boost provides free peer-reviewed portable C++ source libraries.
This archive was generated by hypermail 2.1.7 : 2017-09-19 21:09:37 UTC