Is there a dynamic checking utility that can flag overflow of static buffer in struct?

Question

Is there a dynamic checking utility that can flag the following bug? Valgrind cannot. Can Purify or Insure++? This is on Linux Ubuntu latest version.

struct A {
    char buff1[8];
    int jj;
    char buff2[8];
    int ii;
    char buff3[8];
} a;

main(int argc, char *args[])
{
    // Set intermediate fields to known flag value
    a.ii = a.jj = 0xdeadbeef;

    // Write 8 char string into 8 byte buffer - null will overflow into neighboring int field. ERROR
    sprintf(a.buff2, "ABCDEFGH");
}

Answer 1

Not to my knowledge. Most (or rather: all?) memory verification tools work in a way that embeds read- and write protected pages as guard zones between and around variables in order to provoke traps on accesses beyond the legally allocated areas.

Without severely disturbing structure alignment and integrity, this cannot be easily done in the middle of a structure.

EDIT: Another point is: There is constructs where writing over structure member bounds is perfectly legal and the only reasonable possibility to achieve what you want. One example is copying structures to the heap:

struct x orig, *copy;

orig.a = 100;
strcpy (orig.str, "Test");

copy = malloc (sizeof (struct x));
memcpy (copy, &orig, sizeof (struct x));

This writes beyond structure member bounds as well, but is the only reasonable (and perfectly legal) way to get the structure onto the heap (apart from tedious and slow member-wise copy).

Another example would be

p = malloc (NUM_STRUCTS * sizeof (struct x));
memset (p, NUM_STRUCTS * sizeof (struct x), 0);

This is a perfectly valid constuct that allows you to clear an array of structures on the heap - And it does not even write aross internal struct boundaries, but also between structs.

In some sense, even calloc() would write beyond structure member bounds....

And, as a definite answer from the (admittedly older) Purify User Manual I happend to find in one of my desk drawers:

Purify detects array bounds errors in arrays within C structures only when the access extends beyond the entire structure

That counts as a "no" for me.

Answer 2

Compiling with all warnings enabled is a good start:

chqrlie@mac ~/dev/stackoverflow > clang -O3 -std=c11 -Weverything -lm -o 35996676 35996676.c
35996676.c:9:1: warning: type specifier missing, defaults to 'int' [-Wimplicit-int]
main(int argc, char *args[])
^
35996676.c:12:19: warning: implicit conversion changes signedness: 'unsigned int' to 'int' [-Wsign-conversi
    a.ii = a.jj = 0xdeadbeef;
                ~ ^~~~~~~~~~
35996676.c:15:5: warning: implicitly declaring library function 'sprintf' with type 'int (char *, const cha
    sprintf(a.buff2, "ABCDEFGH");
    ^
35996676.c:15:5: note: include the header <stdio.h> or explicitly provide a declaration for 'sprintf'
35996676.c:9:10: warning: unused parameter 'argc' [-Wunused-parameter]
main(int argc, char *args[])
         ^
35996676.c:9:22: warning: unused parameter 'args' [-Wunused-parameter]
main(int argc, char *args[])
                     ^
35996676.c:7:3: warning: no previous extern declaration for non-static variable 'a' [-Wmissing-variable-dec
} a;
  ^
6 warnings generated.

Fixing these with simple patches, and adding extra obvious bugs:

#include <stdio.h>
#include <string.h>

static struct A {
    char buff1[8];
    unsigned int jj;
    char buff2[8];
    unsigned int ii;
    char buff3[8];
} a;

int main(void) {
    // Set intermediate fields to known flag value
    a.ii = a.jj = 0xdeadbeef;

    // Write 8 char string into 8 byte buffer - null will overflow into neighboring int field. ERROR
    sprintf(a.buff1, "ABCDEFGH");
    strcpy(a.buff2, "ABCDEFGH");
    sprintf(a.buff3, "%s", "ABCDEFGH");

    return 0;
}

Compiles with no warnings, is spite of the obvious sprintf and strcpy bugs that a simplistic static analysis should have caught.

gcc with -Wall -W -Wextra does not see anything wrong either.

It is recommended to use snprintf instead of sprintf, but that would not prevent the strcpy problem. strcpy is unsafe in the general case, but with a string literal as a source, the compiler should definitely complain.

You should try Frama-c, a powerful source code analysis framework available in open source from http://frama-c.com/

Answer 3

In my experience, Purify may do what you want. This is an excerpt from an older Purify user's manual posted to the internet:

How Purify checks statically allocated memory

In addition to detecting access errors in dynamic memory, Purify detects references beyond the boundaries of data in global variables and static variables, that is, data allocated statically at link-time as opposed to dynamically at run time.

Here is an example of data that is handled by the static checking feature:

int array[10];
main() {
    array[11] = 1;
}

In this example, Purify reports an ABW error at the assignment to array[11] because it is 4 bytes beyond the end of the array.

Answer 4

Does it have to be a dynamic tool? The only tool I know which will detect the above scenario is Coverity, a static tool from Synopsis. For the above case it will produce a report on the form of:

Error: OVERRUN:
...
sprintf_overrun: "sprintf" will overrun its first argument "a.buff2" which can accommodate 8 bytes.  The number of bytes written may be 9 bytes, including the terminating null.