ikos icon indicating copy to clipboard operation
ikos copied to clipboard

Published 20 hours ago verified publisher icon NASA-SW-VnV

IKOS should tolerate `snprintf(NULL, 0, ...)`

Open szhorvat opened this issue 1 year ago • 2 comments

ikos claims that the following C program is unsafe because of the null pointer passed to snprintf():

#include <stdio.h>

int main(void) {
    snprintf(NULL, 0, "%d", 123);
    return 0;
}

However, according to cppreference, when the second argument is 0, the first argument is allowed to be NULL.

https://en.cppreference.com/w/c/io/fprintf

If bufsz is zero, nothing is written and buffer may be a null pointer, however the return value (number of bytes that would be written not including the null terminator) is still calculated and returned.

We use this feature to determine the number of characters that would be written before actually writing them.

szhorvat avatar Jul 27 '23 08:07 szhorvat

I could be wrong, but at first glance I think we'd need to change:

https://github.com/NASA-SW-VnV/ikos/blob/ae8200b7f8f1c26e3f92d2529e84428fa199f844/analyzer/src/checker/null_dereference.cpp#L335-L338

so that this->check_null(call, call->argument(0), inv) is only included when this->_lit_factory.get_scalar(call->argument(1)); is not zero. There may be several cases that we'd have to consider, such as it not being zero but being a variable (which may contain the value zero) and so on.

ivanperez-keera avatar Nov 29 '23 11:11 ivanperez-keera

Maybe handling the special case of argument 1 being the 0 constant would be fine for now since that seems like a common use case.

arthaud avatar Nov 29 '23 19:11 arthaud