profile photo of r2cr2c
Download Count*

Ruleset by r2c

Run Locally

Rules (15)

profile photo of semgrepsemgrep

Avoid using user-controlled format strings passed into 'sprintf', 'printf' and 'vsprintf'. These functions put you at risk of buffer overflow vulnerabilities through the use of format string exploits. Instead, use 'snprintf' and 'vsnprintf'.

profile photo of semgrepsemgrep

Finding triggers whenever there is a strcpy or strncpy used. This is an issue because strcpy does not affirm the size of the destination array and strncpy will not automatically NULL-terminate strings. This can lead to buffer overflows, which can cause program crashes and potentially let an attacker inject code in the program. Fix this by using strcpy_s instead (although note that strcpy_s is an optional part of the C11 standard, and so may not be available).

profile photo of semgrepsemgrep

When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While `memset()` is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the `memset_s()` function instead. `memset_s()` is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using `memset_s()` instead of `memset()`, you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory.