Why security hotspots are not reported in this case

Please provide

• Operating system:windows 10
• Visual Studio version: 1.85.1
• SonarLint plugin version:4.2.2
• Programming language you’re coding in: c
• Is connected mode used: sonarqube 10.2
  • Connected to SonarCloud or SonarQube (and which version):

And a thorough description of the problem / question:
Hi
I’m confused as to why security hotspots are not reported on line 7.Lines 8 and 9 report security hotspots

#include<stdio.h>
#include<string.h>
#include<stdlib.h>
char buf[10];
int main(void)  {
    char const *message="ptpf11111111";
    sprintf(buf,"%s",message);
    sprintf(buf,"p,%s",message);
    sprintf(buf,"ptpf");

    size_t buflen = snprintf(0, 0, "%s",message);
    char* buf1 = malloc(buflen + 1); // For the final 0
    sprintf(buf1,"%s",message); 
    free(buf1);
    return 0;
}

Hey there.

Help me out – which hotspot(s) are being reported on Lines 8 and 9?

Hi!

It is reported by rule c:S6069

Hello @zhangjiuwang ,

This rule has an exception when snprintf may have been used to compute the buffer size. See the exception on the rule description.

However, this looks to me like a bug. The snprintf comes after the call to sprintf, so it can’t possibly be used to do the bound checks.

I have created a ticket to track this issue
https://sonarsource.atlassian.net/browse/CPP-4901

Thanks a lot for the report!

Hi @aalvarez
Thanks for your reply. After I tried to delete the code after line 10, line 7 was also reported this security hotspot;
Also, why does line 9 (sprintf(buf,"ptpf");) report this security hotspot? Looks like the size of buf is enough?

It is, you are right. But note that “security hotspot” does not mean there is a bug, only that it is worth double-checking that line to make sure there isn’t.

If the analyzer could prove there is an overflow, then you would get

• S3519 Memory access should be explicitly bounded to prevent buffer overflows (Example)