cFE icon indicating copy to clipboard operation
cFE copied to clipboard
verified publisher icon nasa

SCA Finding in CFE_TBL_Load

Open ejtimmon opened this issue 2 years ago • 2 comments

Describe the bug Klockwork static analysis tool flagged the following finding:

File: /ccrs/flight-sw/fsw/cfe/modules/tbl/fsw/src/cfe_tbl_api.c Line: 833 Function: CFE_TBL_Load Finding: Buffer Overflow - Array Index Out of Bounds

To Reproduce Run Klocwork tool

Reporter Info Beth Geist/NASA GSFC

ejtimmon avatar Oct 23 '23 14:10 ejtimmon

This line? https://github.com/nasa/cFE/blob/03166722cdde3f1b337742088e7137ebacf64734/modules/tbl/fsw/src/cfe_tbl_api.c#L833

skliper avatar Oct 23 '23 15:10 skliper

This one is entirely plausible. CFE_TBL_Load has been on our list of worst offenders for over complexity. There are so many permutations of possibilities in here, it wouldn't surprise me if there are cases where this has a genuine possibility for out-of-bounds array access.

I wouldn't attempt to "fix" this code though, unless its done as part of a more comprehensive cleanup intended to reduce the complexity of these operations.

Related issues #483, #600, #1504, #1521, #1750, #1861.

Fixing these known issues would probably make this warning go away as well.

jphickey avatar Oct 24 '23 14:10 jphickey