Fortify scan - buffer overflow - Boost version 1.63

[ghost]

@TejasSonawan commented on Oct 31, 2018, 3:44 PM UTC:

Hello Team,

We are using Boost 1.63 lib in our project and when we are doing static scan using Fortify tool, It showing buffer overflow error on the file "Boost/asio/detail/win_fd_set_adapter.hpp" on line 66.

Below is code snippet:

bool set(socket_type descriptor) { for (u_int i = 0; i < fdset->fd_count; ++i) if (fdset->fd_array[i] == descriptor) return true;

reserve(fd_set_->fd_count + 1);
fd_set_->fd_array[fd_set_->fd_count++] = descriptor;
return true;

}

issue for "fdset->fd_array[fdset->fd_count++] = descriptor;" line.

are these errors already fixed in a recent version or are you planning to fix them in a future version ?

Thanks, -Tejas

This issue was moved by chriskohlhoff from boostorg/asio#308.

[ghost]

@swatanabe commented on Oct 31, 2018, 4:09 PM UTC:

AMDG a) This should be filed against ASIO. Tickets filed against the superproject are likely to be ignored. b) I believe that this is technically undefined behavior and should be fixed. However, there is in fact enough memory allocated, so depending on the compiler, it may work without issues. In Christ, Steven Watanabe

[ghost]

@mclow commented on Oct 31, 2018, 4:10 PM UTC:

The place to file bugs against ASIO is http://github.com/boostorg/asio

[ghost]

@TejasSonawan commented on Oct 31, 2018, 5:08 PM UTC:

Thanks for your reply, This is just an example, there are other issue reported Fortify for boost. i have not mentioned them all.