Merge pull request #5009 from ihsinme/ihsinme-patch-219

CPP: add query for CWE-788 Access of memory location after the end of a buffer using strncat.

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected

@@ -0,0 +1,3 @@
+| test.c:4:3:4:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:11:3:11:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:19:3:19:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c

@@ -0,0 +1,28 @@
+void workFunction_0(char *s) {
+  char buf[80];
+  strncat(buf, s, sizeof(buf)-strlen(buf)-1); // GOOD
+  strncat(buf, s, sizeof(buf)-strlen(buf));  // BAD
+  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED] 
+}
+void workFunction_1(char *s) {
+#define MAX_SIZE 80
+  char buf[MAX_SIZE];
+  strncat(buf, s, MAX_SIZE-strlen(buf)-1); // GOOD
+  strncat(buf, s, MAX_SIZE-strlen(buf));  // BAD
+  strncat(buf, "fix", MAX_SIZE-strlen(buf)); // BAD [NOT DETECTED]
+}
+void workFunction_2_0(char *s) {
+  char * buf;
+  int len=80;
+  buf = (char *) malloc(len);
+  strncat(buf, s, len-strlen(buf)-1); // GOOD
+  strncat(buf, s, len-strlen(buf));  // BAD
+  strncat(buf, "fix", len-strlen(buf)); // BAD [NOT DETECTED]
+}
+void workFunction_2_1(char *s) {
+  char * buf;
+  int len=80;
+  buf = (char *) malloc(len+1);
+  strncat(buf, s, len-strlen(buf)-1); // GOOD
+  strncat(buf, s, len-strlen(buf));  // GOOD
+}