Flawfinder检测到Fix (CWE-120，CWE-20)

Question

我被要求使用Flawfinder分析一些C代码：

char * buffer;
size_t len;
// my_fd is a file descriptor
read(my_fd, &len, sizeof(len));
buffer = malloc(len + 1);
read(my_fd, buffer, len);
buffer[len] = '\0';

我在第2条上收到以下警告：

test.c:xx:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20).
test.c:xx:  [1] (buffer) read:
  Check buffer boundaries if used in a loop including recursive loops
  (CWE-120, CWE-20). 

我尝试遵循this答案，修改函数如下：

char * buffer;
size_t len;
// my_fd is a file descriptor
ssize_t ret = read(my_fd, &len, sizeof(len));

if (ret == -1 || ret != sizeof len) {
     buffer = NULL;
} else {
     buffer = malloc(len + 1);
     ret = read(my_fd, buffer, len);
     buffer[ret] = '\0';
}
free(buffer);

但这些漏洞仍被检测到。我遗漏了什么？

更新#1:

我根据@4386427建议更新了函数，检查了read()和malloc()

char * buffer = NULL;
size_t len;
ssize_t ret = read(my_fd, &len, sizeof(len));

if (ret == sizeof len)
{
     buffer = malloc(len + 1);

     if (buffer != NULL)
     {
          ret = read(my_fd, buffer, len);

          if (ret == len)
          {
               buffer[ret] = '\0';
          }
          free(buffer);
     }
}

但是没有什么改变，我怎样才能进一步提高安全性呢？

更新#2

因为Flawfinder只进行模式检查，而且似乎没有更多的改进可以应用；此时，我将这些错误标记为假阳性。

Answer 1

在最后一个代码段中，我看到两个地方没有正确地处理返回值。1)你不检查malloc 2)你不检查读取

尝试：

char * buffer;
size_t len;
// my_fd is a file descriptor
ssize_t ret = read(my_fd, &len, sizeof(len));

if (ret != sizeof len) {
     buffer = NULL;
} else {
    buffer = malloc(len + 1);
    if (buffer != NULL)        // Check that malloc was ok
    {
         ret = read(my_fd, buffer, len);

         if (ret == -1)        // Check that read was ok
         {
             // error handling....
             //
             // for now just do:
             ret = 0;
         }
         else if (ret != len)
         {
             // Didn't get as much data as expected
             //
             // Add some error handling....
         }
         buffer[ret] = '\0';
    }
}
free(buffer);