fix: use bounded strlcpy/snprintf in codegen.c#47
Conversation
Automated security fix generated by OrbisAI Security
The codegen utility copies user-supplied command-line argument argv[1] into a fixed-size 'section' buffer using strcpy without any bounds checking
|
Thanks for the report. This is a valid local buffer overflow in a developer-only code generation utility, but I’d prefer a narrower robustness fix here: reject overlong section names rather than silently truncating them, and audit the nearby generated-name buffers at the same time. The added test also does not appear to be wired into the build system. |
Reject overlong section names with an explicit error rather than silently truncating. Audit the nearby function_name buffer and skip methods whose names would overflow it. Replace the unwired Check-based test with a standalone codegen_test.c wired into utils/Makefile.am so it runs under make check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This is addressed. Pls review. |
|
✅ Review Feedback Addressed I've automatically addressed 1 review comment(s): The reviewer (dajobe) has requested three specific changes:
Looking at the current diff:
The current implementation already does what the reviewer asked for (rejects overlong names rather than truncating), and audits the function_name buffer. The main issue is that the test integration in Makefile.am needs to be fixed to properly wire it into the autotools test framework. I need to:
Files modified:
The changes have been pushed to this PR branch. Please review! |
Summary
Fix high severity security issue in
utils/codegen.c.Vulnerability
V-004utils/codegen.c:228Description: The codegen utility copies user-supplied command-line argument argv[1] into a fixed-size 'section' buffer using strcpy without any bounds checking. If argv[1] exceeds the buffer's remaining capacity (buffer_size - 7 bytes), the copy overflows into adjacent memory, potentially overwriting the return address or other critical data on the stack.
Evidence
Exploitation scenario: Invoke codegen with a crafted argv[1] argument exceeding the section buffer size: ./codegen $(python -c 'print("A"*1024)') to trigger stack buffer overflow and potentially achieve code execution.
Scanner confirmation: multi_agent_ai rule
V-004flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Changes
utils/codegen.cVerification
Security Invariant
Regression test
This test guards against regressions — it's useful independent of the code change above.
Automated security fix by OrbisAI Security