gcc/testsuite/gcc.dg/analyzer/out-of-bounds-curl.c


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

/* { dg-additional-options "-O2" } */
#include <string.h>

/* Reduced from curl lib/smb.c.  */
typedef int CURLcode;

struct smb_conn {
  // [...]
  char *user;
};

struct smb_setup {
  // [...]
  char bytes[48];
} __attribute__((packed));

struct connectdata {
  // [...]
  struct smb_conn *smbc;
};

CURLcode smb_send_setup (struct connectdata *conn)
{
  struct smb_conn *smbc = conn->smbc;
  struct smb_setup msg;
  char *p = msg.bytes;
  unsigned char lm[24];

  /* Init to prevent uninit warning.  */
  memset(&msg, 0, sizeof(msg));
  memset (&lm, 0, sizeof(lm));

  memcpy(p, lm, sizeof(lm));
  p += sizeof(lm);
  /* Had a false-positive overflow at p. Checker had a number of bytes copied
     relative to the start but offset points in the middle the field.  */
  strcpy(p, (smbc->user));
  p += strlen(smbc->user) + 1;

  return 1;
}