FP Rule c:S3519 Out of bound memory access (accessed memory precedes memory block)

Version used: SonarScanner 4.7.0.2747

In this code sonarqube reports an out of bound memory violation (not reported by sonarlint with Idea IDE):

It seems related to this issue: [CPP-2376] - Jira which has been solved for SonarLint

#include <stdlib.h>
#include <string.h>
struct Context
{
    char                *buff;   
};
#define LEN 3
static inline char* ReallocCtxBuff(struct Context* ctx, char* cp)
{
    unsigned long long cl;
    cp = ctx->buff;
    cl = strlen(cp);
    cp = (char *)realloc(cp, cl + (1 + LEN + 1));
    if (cp != NULL)
    {
        ctx->buff = cp;
        cp[cl + LEN + 1] = 0;
        cp += cl;
    }
    return cp;
}
int main()
{
    struct Context ctx;
    char cp[LEN+1] = "";
    ctx.buff = (char *) malloc(LEN+1);
    ctx.buff[0] = 0;
    ReallocCtxBuff(&ctx, cp);
    free(ctx.buff);
}

Thie issue is reported in this line:

cp[cl + LEN + 1] = 0;

This is a false positive because cl is an unsigned long long int which means it cannot be less than 0, also it cannot overflow because now cp is reallocated to be (cl + LEN + 2) and the access is in cl + LEN +

Hi,

Welcome to the community!

What’s your SonarQube version?

 
Ann

Hi Ann,

SonarQube version is: * Enterprise Edition * Version 8.9.6 (build 50800)

Hi,

Thanks for your version number. That’s not the latest version. Since you say the FP isn’t raised in SonarLint, I need to ask whether you run SonarLint in connected mode with SonarQube?

Why? When you’re in connected mode, SonarLint runs the rule implementation that’s on the server, and when you’re not in connected mode, you get the implementation version that shipped with SonarLint. So if your SonarLint version is newer than your SonarQube version, it’s possible to see these discrepancies. And it means that an upgrade of SonarQube would fix the problem for you! :wink: (And yes, I understand that you’re probably on the LTS for a reason. The new LTS comes out next month, on the 7th. :smiley:)

So… Does this sound right to you? Are you using connected mode?

 
Ann

Hi Ann,

Yes, I am using connected mode. However, the bug still shows the false positive. Nonetheless, if the bug is fixed in newer versions of SonarQube it’s all good then.

Thanks,

JC

Hi,

Just to follow up, I’ve been told I’m wrong. :grimacing:

For C and C++, SonarLint always uses the implementation it was shipped with, regardless of whether or not you’re in connected mode. So that explains perfectly what you’re seeing.

 
Ann

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.