PREfast Warning 204 (Windows CE 5.0)
204 - Possible buffer overrun in call to <function>.
Additional Information: Use of unchecked parameter <variable>.
This warning indicates that a function call is being made that could lead to an overrun of a stack buffer, depending on the possible values of parameters to the function being analyzed.
This defect can result in an exploitable buffer overrun or crash; in fact, some high-profile security exploits have been caused by this defect.
However, because PREfast does not consider the set of all possible callers to the function being analyzed, the code might be completely safe.
It is a good idea to double-check the code and the callers to this function to see whether the function can ever be called with unexpected data.
If it is not clear that all calls are safe, it might be appropriate to validate the input to the function (that is, by checking the length of any input strings).
Conversely, unnecessary validation exacts a performance cost.
**Note **PREfast can sometimes report this warning on certain idioms guaranteed to be safe in practice. Because of the frequency and potential consequences of this defect, PREfast acts in favor of finding potential issues rather than its normal bias of reducing noise.
Example
Defective Source
char buff[10];
strcpy(buff, ptr);
Corrected Source
char buff[10];
if (strlen(ptr) >= sizeof buff) {
return;
}
strcpy (buff, ptr);
Send Feedback on this topic to the authors