Merge pull request #5938 from MathiasVP/promote-access-of-memory-location-after-end-of-buffer-using-strncat

C++: Promote `cpp/access-memory-location-after-end-buffer-strncat` out of experimental
2026-02-01 07:42:57 +01:00 · 2021-05-25 14:36:53 +01:00
parent 1997f500c2 78cc8f01d6
commit 2fd461e984
13 changed files with 127 additions and 140 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c
@@ -1,4 +0,0 @@
- 
-strncat(dest, source, sizeof(dest) - strlen(dest)); // BAD: writes a zero byte past the `dest` buffer.
-
-strncat(dest, source, sizeof(dest) - strlen(dest) -1); // GOOD: Reserves space for the zero byte.
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qhelp
@@ -1,32 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>The standard library function <code>strncat(dest, source, count)</code> appends the <code>source</code> string to the <code>dest</code> string. <code>count</code> specifies the maximum number of characters to append and must be less than the remaining space in the target buffer. Calls of the form <code> strncat (dest, source, sizeof (dest) - strlen (dest)) </code> set the third argument to one more than possible. So when the <code>dest</code> is full, the expression <code> sizeof (dest) - strlen (dest) </code> will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the <code>dest</code> buffer.</p>
-
-
-</overview>
-<recommendation>
-
-<p>We recommend subtracting one from the third argument. For example, replace <code>strncat(dest, source, sizeof(dest)-strlen(dest))</code> with <code>strncat(dest, source, sizeof(dest)-strlen(dest)-1)</code>.</p>
-
-</recommendation>
-<example>
-<p>The following example demonstrates an erroneous and corrected use of the <code>strncat</code> function.</p>
-<sample src="AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.c" />
-
-</example>
-<references>
-
-<li>
-  CERT C Coding Standard:
-<a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
-</li>
-<li>
-  CERT C Coding Standard:
-  <a href="https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts">ARR30-C. Do not form or use out-of-bounds pointers or array subscripts</a>.
-</li>
-
-</references>
-</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql
@@ -1,42 +0,0 @@
-/**
- * @name Access Of Memory Location After The End Of A Buffer Using Strncat
- * @description Calls of the form `strncat(dest, source, sizeof (dest) - strlen (dest))` set the third argument to one more than possible. So when `dest` is full, the expression `sizeof(dest) - strlen (dest)` will be equal to one, and not zero as the programmer might think. Making a call of this type may result in a zero byte being written just outside the `dest` buffer.
- * @kind problem
- * @id cpp/access-memory-location-after-end-buffer-strncat
- * @problem.severity warning
- * @precision medium
- * @tags correctness
- *       security
- *       external/cwe/cwe-788
- */
-
-import cpp
-import semmle.code.cpp.models.implementations.Strcat
-import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-
-/**
- * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
- * destination arguments, respectively.
- */
-predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
-  exists(StrcatFunction strcat |
-    strcat = call.getTarget() and
-    sizeArg = call.getArgument(strcat.getParamSize()) and
-    destArg = call.getArgument(strcat.getParamDest())
-  )
-}
-
-from FunctionCall call, Expr sizeArg, Expr destArg, SubExpr sub, int n
-where
-  interestringCallWithArgs(call, sizeArg, destArg) and
-  // The destination buffer is an array of size n
-  destArg.getUnspecifiedType().(ArrayType).getSize() = n and
-  // The size argument is equivalent to a subtraction
-  globalValueNumber(sizeArg).getAnExpr() = sub and
-  // ... where the left side of the subtraction is the constant n
-  globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
-  // ... and the right side of the subtraction is a call to `strlen` where the argument is the
-  // destination buffer.
-  globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
-    globalValueNumber(destArg).getAnExpr()
-select call, "Possible out-of-bounds write due to incorrect size argument."