Opened 5 years ago
#13218 new Bugs
Xcode 8/9 static analyzer warning in socket_ops.ipp:2023:5: function 'strcat' is insecure. CWE-119
Reported by: | Owned by: | chris_kohlhoff | |
---|---|---|---|
Milestone: | To Be Determined | Component: | asio |
Version: | Boost 1.65.0 | Severity: | Problem |
Keywords: | Cc: |
Description
The warning generated on macOS by the Xcode 9 static analyzer for files that #include asio.hpp is:
In file included from /mnt/boost/asio.hpp:21: In file included from /mnt/boost/asio/basic_datagram_socket.hpp:21: In file included from /mnt/boost/asio/datagram_socket_service.hpp:30: In file included from /mnt/boost/asio/detail/reactive_socket_service.hpp:30: In file included from /mnt/boost/asio/detail/reactive_socket_accept_op.hpp:24: In file included from /mnt/boost/asio/detail/socket_holder.hpp:20: In file included from /mnt/boost/asio/detail/socket_ops.hpp:333: /mnt/boost/asio/detail/impl/socket_ops.ipp:2023:5: warning: Call to function 'strcat' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcat'. CWE-119
Since a lot of our files include asio.hpp, we see this warning over and over again. And unfortunately I know of no way to suppress this issue, so I'm hoping you can adjust the implementation to use strlcpy. Some of the other layers in Boost seem to have done this already, so maybe you don't have to re-invent the wheel.