Upraviť

Zdieľať cez


Warning C6059

Incorrect length parameter in call to 'function'. Pass the number of remaining characters, not the buffer size of 'variable'.

Remarks

This warning indicates that a call to a string concatenation function is probably passing an incorrect value for the number of characters to concatenate. This defect might cause an exploitable buffer overrun or crash. A common cause of this defect is passing the buffer size (instead of the remaining number of characters in the buffer) to the string manipulation function.

This warning helps identify the common error of sending the size of the target buffer instead of the size of the data. It does so by detecting when the size used to allocate the buffer is passed, unchanged, to the function putting data in the buffer.

Code analysis name: BAD_CONCATENATION

Example

The following code generates warning C6059:

#include <string.h>
#define MAX 25

void f( )
{
  char szTarget[MAX];
  const char *szState ="Washington";
  const char *szCity="Redmond, ";

  strncpy(szTarget, szCity, MAX);
  szTarget[MAX -1] = '\0';
  strncat(szTarget, szState, MAX); // wrong size
  // code ...
}

To correct this warning, use the correct number of characters to concatenate as shown in the following code:

#include <string.h>
#define MAX 25

void f( )
{
  char szTarget[MAX];
  const char *szState ="Washington";
  const char *szCity="Redmond, ";

  strncpy(szTarget, szCity, MAX);
  szTarget[MAX -1] = '\0';
  strncat(szTarget, szState, MAX - strlen(szTarget)); // correct size
  // code ...
}

To correct this warning using the safe string manipulation functions strncpy_s and strncat_s, see the following code:

#include <string.h>

void f( )
{
  const char *szState ="Washington";
  const char *szCity="Redmond, ";

  size_t nTargetSize = strlen(szState) + strlen(szCity) + 1;
  char *szTarget= new char[nTargetSize];

  strncpy_s(szTarget, nTargetSize, szCity, strlen(szCity));
  strncat_s(szTarget, nTargetSize, szState,
                    nTargetSize - strlen(szTarget));
  // code ...
  delete [] szTarget;
}

Heuristics

This analysis detects when the target buffer size is passed unmodified into the length parameter of the string manipulation function. This warning isn't given if some other value is passed as the length parameter, even if that value is incorrect.

Consider the following code that generates warning C6059:

#include <string.h>
#define MAX 25

void f( )
{
  char szTarget[MAX];
  const char *szState ="Washington";
  const char *szCity="Redmond, ";

  strncpy(szTarget, szCity, MAX);
  szTarget[MAX -1] = '\0';
  strncat(szTarget, szState, MAX); // wrong size
  // code ...
}

The warning goes away by changing the MAX argument to strncat to MAX - 1, even though the length calculation is still incorrect.

#include <string.h>
#define MAX 25

void f( )
{
  char szTarget[MAX];
  const char *szState ="Washington";
  const char *szCity="Redmond, ";

  strncpy(szTarget, szCity, MAX);
  szTarget[MAX -1] = '\0';
  strncat(szTarget, szState, MAX - 1); // wrong size, but no warning
  // code ...
}

See also