Prefast Buffer overrun warning

Hi,

I am working on the user mode driver for scanner (WIA) on LongHorn.
I am getting ’ Prefast ’ warning for Buffer overrun warning .

When I try to copy the data to a pointer array created with a ’
variable length ’ which will get it’s value in run time, I am facing
this problem.

Here I am allocating memory to pbFWInDataBuf with a size_t lInBufLen+4
, where lInBufLen will have the value at run time.

pbFWInDataBuf = (PBYTE) malloc(lInBufLen+4);

if (bPMLType == STRING_TYPE)
{
pbFWInDataBuf[0] = 0x01;
pbFWInDataBuf[1] = 0x0E;

When I run the Prefast, I am getting the following Warning.

warning 412: Potential buffer overrun while writing to ‘pbFWInDataBuf’:
the writable size is ‘lInBufLen+4’ bytes, but ‘2’ bytes may be written.
problem occurs in function ’ NiceSetObject’
Path includes 15 statements on the following lines:
611 613 613 614 615 617 619 622 624 627 629 635 638 642 643

I am using 5112 LDK. I didn’t get any help in the DDK/ MS web
site for the warning number (That I am getting in 5112 LDK). Let me know
if any one knows the information for the warnings.

Any help and source of information will be helpful.

Thanks and Regards
Abhiman.

A couple of questions back at you:

  • Are you using SAL annotations for your function entry points? I know
    that these modify the behavior of prefast for buffer probing.
  • What is the type of lInBufLen? If it is unsigned, you are right, but
    if this is signed (and I’m no Hungarian notation expert, but that’s what
    I’d guess from the variable name,) you could receive a length of -3, add
    4 to it and end up with 1. That gives you a buffer overflow condition.
  • Did you omit the allocation failure check? I’m surprised that prefast
    didn’t flag that as well, because I don’t see a check for malloc failing
    in your code.

It is certainly possible prefast is being overly conservative here.
Thus, what you might want to do is just add additional code to detect
the condition, even if you “know” it will never happen. That will
satisfy prefast. Example:

DWORD lInDataBufLen = lInBufLen + 4;

If (lInDataBufLen < 4) { /* handle error condition */ }

pbFWInDataBuf = (PBYTE) malloc(lInDataBufLen);

if (NULL == pbFWInDataBuf) { /* handle error condition */ }

if (bPMLType == STRING_TYPE)
{
pbFWInDataBuf[0] = 0x01;
pbFWInDataBuf[1] = 0x0E;

If all else fails you CAN tell prefast to shut up about it using #pragma
prefast. I’ve used that in the past, but it is normally my last resort,
not my first option.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

Looking forward to seeing you at the next OSR File Systems class in Los
Angeles, CA October 24-27, 2005.

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@wipro.com
Sent: Tuesday, September 13, 2005 1:49 AM
To: ntdev redirect
Subject: [ntdev] Prefast Buffer overrun warning

Hi,

I am working on the user mode driver for scanner (WIA) on LongHorn.
I am getting ’ Prefast ’ warning for Buffer overrun warning .

When I try to copy the data to a pointer array created with a ’
variable length ’ which will get it’s value in run time, I am facing
this problem.

Here I am allocating memory to pbFWInDataBuf with a size_t lInBufLen+4
, where lInBufLen will have the value at run time.

pbFWInDataBuf = (PBYTE) malloc(lInBufLen+4);

if (bPMLType == STRING_TYPE)
{
pbFWInDataBuf[0] = 0x01;
pbFWInDataBuf[1] = 0x0E;

When I run the Prefast, I am getting the following Warning.

warning 412: Potential buffer overrun while writing to ‘pbFWInDataBuf’:
the writable size is ‘lInBufLen+4’ bytes, but ‘2’ bytes may be written.
problem occurs in function ’ NiceSetObject’
Path includes 15 statements on the following lines:
611 613 613 614 615 617 619 622 624 627 629 635 638 642 643

I am using 5112 LDK. I didn’t get any help in the DDK/ MS web
site for the warning number (That I am getting in 5112 LDK). Let me know
if any one knows the information for the warnings.

Any help and source of information will be helpful.

Thanks and Regards
Abhiman.


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com