Opened 12 months ago

#13218 new Bugs

Xcode 8/9 static analyzer warning in socket_ops.ipp:2023:5: function 'strcat' is insecure. CWE-119

Reported by: mark_hastings@… Owned by: chris_kohlhoff
Milestone: To Be Determined Component: asio
Version: Boost 1.65.0 Severity: Problem
Keywords: Cc:

Description

The warning generated on macOS by the Xcode 9 static analyzer for files that #include asio.hpp is:

In file included from /mnt/boost/asio.hpp:21: In file included from /mnt/boost/asio/basic_datagram_socket.hpp:21: In file included from /mnt/boost/asio/datagram_socket_service.hpp:30: In file included from /mnt/boost/asio/detail/reactive_socket_service.hpp:30: In file included from /mnt/boost/asio/detail/reactive_socket_accept_op.hpp:24: In file included from /mnt/boost/asio/detail/socket_holder.hpp:20: In file included from /mnt/boost/asio/detail/socket_ops.hpp:333: /mnt/boost/asio/detail/impl/socket_ops.ipp:2023:5: warning: Call to function 'strcat' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcat'. CWE-119

Since a lot of our files include asio.hpp, we see this warning over and over again. And unfortunately I know of no way to suppress this issue, so I'm hoping you can adjust the implementation to use strlcpy. Some of the other layers in Boost seem to have done this already, so maybe you don't have to re-invent the wheel.

Change History (0)

Note: See TracTickets for help on using tickets.