False positives - cpp/unbounded-write

[ryao]

Description of the false positive

CodeQL reports false positives from cpp/unbounded-write when the destination buffer passed to strcpy() has been allocated to be big enough to fit the string according to strlen().

Code samples or links to source code

Here is an example from the OpenZFS source code:

			int len = strlen(drrb->drr_toname);
			cp = umem_alloc(len + 2, UMEM_NOFAIL);
			cp[0] = '/';
			(void) strcpy(&cp[1], drrb->drr_toname);

We allocate cp to be 2 larger than the length of drrb->drr_toname. Then we do a strcpy() command that is guaranteed to be safe.

That is from report 783 below.

URL to the alert on GitHub code scanning (optional)

https://github.com/ryao/zfs/security/code-scanning/782
https://github.com/ryao/zfs/security/code-scanning/783
https://github.com/ryao/zfs/security/code-scanning/784

[hvitved]

Thanks for your report. @github/codeql-c could you take a look, please?

[MathiasVP]

Hi @ryao,

This does indeed looks like a false report. We're aware of FPs on this query (and the other CWE-787-related queries) and we're working on improvements to these queries at the moment. We'll let you know once those improvements has landed :)

[ryao]

Should this be marked acknowledged?