Skip to content

Local variable address stored in non-local memory (False positive) #11528

New issue
New issue
Open
Open
Local variable address stored in non-local memory (False positive)#11528
Labels
false-positivenot securityThis issue does not relate to a security query
@uNetworkingAB

Description

@uNetworkingAB
uNetworkingAB
opened on Dec 1, 2022

Description of the false positive

I have 6 total false positives of the same category:

  • I have structs that are heap allocated (they are NOT stack allocated), and they have methods that assign a global pointer, the value of "this".
  • CodeQL has two things wrong here: a) "this" is not a parameter value in C++ and b) the so called parameter value "this" is NOT a stack address. This is clearly a bug in the scanner - had I stored the address of something actually stack allocated from within the function it would clearly be an issue but I'm storing "this" (which definitely is not stack allocated and not even created inside the function).
  • All 6 alerts have the same issue; the issue of storing "this" in some global or otherwise surviving pointer. Storing "this" for an object that is heap allocated is definitely not even close to being an issue.

Code samples or links to source code

https://github.com/uNetworking/uWebSockets/blob/c4d45fbf3d282bf68a3b44d6dcabad9414f49e84/src/AsyncSocket.h#L123

URL to the alert on GitHub code scanning (optional)

https://github.com/uNetworking/uWebSockets/security/code-scanning/101

Metadata

Metadata

Assignees

No one assigned

    Labels

    false-positivenot securityThis issue does not relate to a security query

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions