JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.
If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.
If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.
| CodeSonar® 9.2p0 | CONFIDENTIAL | CodeSecure Inc |
A size argument to one of the triggering functions is based on unchecked addition, thus risking integer overflow and an unexpectedly small operation scope.
(Note: when addition overflow can affect size calculation for memory allocations, warning class Addition Overflow of Allocation Size applies instead.)
| Class Name | Addition Overflow of Size | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Significance | security | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Mnemonic | MISC.MEM.SIZE.ADDOFLOW | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Categories |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Availability | Available for C and C++. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Enabling | Checks for this warning class are
disabled by default. To enable them, add the following WARNING_FILTER
rule to the project configuration file.
WARNING_FILTER += allow class="Addition Overflow of Size" |
Japanese (ja)
#include <string.h>
void do_addoflow_size(char *p, int x, int y)
{
memset(p,0,x + y); /* Addition Overflow of Size
* warning issued here. */
/* ... */
}
CodeSonar ships with library models that allow it to recognize a large number of functions that operate on memory and take a size argument. Some examples are shown in the table below. If one of these functions is called with a size argument that may have undergone addition overflow, a warning will be issued.
If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Addition Overflow of Size warnings.
| Functions that can trigger warnings include... | |
|---|---|
| Apache Portable Runtime (APR) | apr_cpystrn(), apr_pmemdup() |
| gcc Builtins | __builtin___memcpy_chk(), __builtin_strncpy() |
| LDAP | ldap_search_ext() |
| libc | memcpy(), strncat(), write() |
| libpq | PQprepare() |
| Linux Kernel | copy_from_user(), kfree_s() |
| Mac OS X | _FREE_ZONE(), copyin() |
| ODBC | SQLPrepareA(), SQLPrepareUNIX(), SQLPrepareW() |
| OpenSSL | CRYPTO_malloc(), OPENSSL_cleanse() |
| Qt | qMemCopy(), qMemSet() |
| Win32 | BytesToUnicode(), StrNCatA(), StrNCatW(), wcsnlen() |
Note that classes Addition Overflow of Size, Multiplication Overflow of Size, Subtraction Underflow of Size and Truncation of Size all have the same set of triggering functions.
This is a "taint+dp" warning class: warnings of this class undergo a dedicated refinement phase that cannot be disabled. One consequence of this is that reporting exhibits some degree of unavoidable nondeterminism. If result stability is important to you, you may wish to avoid enabling this class.
In issuing a warning of this class, CodeSonar does not take into account any constraints on integer values that are imposed before the beginning of the warning's core path.
The following configuration file parameters affect checks for this warning class.
To report problems with this documentation, please visit https://support.codesecure.com/.