Merge pull request #5938 from MathiasVP/promote-access-of-memory-location-after-end-of-buffer-using-strncat

C++: Promote `cpp/access-memory-location-after-end-buffer-strncat` out of experimental

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected

@@ -1,9 +1,9 @@
-| test.c:54:3:54:24 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:55:3:55:40 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:56:3:56:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:57:3:57:44 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:58:3:58:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:59:3:59:48 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:60:3:60:52 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:61:3:61:50 | ... = ... | potential unsafe or redundant assignment. |
-| test.c:62:3:62:54 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:16:3:16:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:17:3:17:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:18:3:18:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:19:3:19:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:20:3:20:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:21:3:21:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:22:3:22:52 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:23:3:23:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:24:3:24:54 | ... = ... | potential unsafe or redundant assignment. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected

@@ -1,5 +0,0 @@
-| test.c:8:3:8:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:9:3:9:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:17:3:17:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:18:3:18:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |
-| test.c:46:3:46:9 | call to strncat | Possible out-of-bounds write due to incorrect size argument. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref

@@ -1 +0,0 @@
-experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c

@@ -2,50 +2,12 @@ char * strncat(char*, const char*, unsigned);
 unsigned strlen(const char*);
 void* malloc(unsigned);
 
-void strncat_test1(char *s) {
-  char buf[80];
-  strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
-  strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
-  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD
-}
-
-#define MAX_SIZE 80
-
-void strncat_test2(char *s) {
-  char buf[MAX_SIZE];
-  strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
-  strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
-  strncat(buf, "fix", MAX_SIZE - strlen(buf)); // BAD
-}
-
-void strncat_test3(char *s) {
-  int len = 80;
-  char* buf = (char *) malloc(len);
-  strncat(buf, s, len - strlen(buf) - 1); // GOOD
-  strncat(buf, s, len - strlen(buf));  // BAD [NOT DETECTED]
-  strncat(buf, "fix", len - strlen(buf)); // BAD [NOT DETECTED]
-}
-
-void strncat_test4(char *s) {
-  int len = 80;
-  char* buf = (char *) malloc(len + 1);
-  strncat(buf, s, len - strlen(buf) - 1); // GOOD
-  strncat(buf, s, len - strlen(buf)); // GOOD
-}
-
 struct buffers
 {
     unsigned char array[50];
     unsigned char *pointer;
 } globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
 
-void strncat_test5(char* s, struct buffers* buffers) {
-  unsigned len_array = strlen(buffers->array);
-  unsigned max_size = sizeof(buffers->array);
-  unsigned free_size = max_size - len_array;
-  strncat(buffers->array, s, free_size); // BAD
-}
-
 void strlen_test1(){
   unsigned char buff1[12];
   struct buffers buffAll;

cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/SuspiciousCallToStrncat.expected

@@ -1 +1,5 @@
 | test.c:24:2:24:8 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:45:3:45:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:67:3:67:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:75:3:75:9 | call to strncat | Potentially unsafe call to strncat. |
+| test.c:76:3:76:9 | call to strncat | Potentially unsafe call to strncat. |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/SuspiciousCallToStrncat/test.c

@@ -39,3 +39,46 @@ void bad1(char *s) {
 	strncat(buf, ".", 1); // BAD [NOT DETECTED] -- Need to check if any space is left
 }
 
+void strncat_test1(char *s) {
+  char buf[80];
+  strncat(buf, s, sizeof(buf) - strlen(buf) - 1); // GOOD
+  strncat(buf, s, sizeof(buf) - strlen(buf));  // BAD
+}
+
+void* malloc(size_t);
+
+void strncat_test2(char *s) {
+  int len = 80;
+  char* buf = (char *)malloc(len);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf));  // BAD [NOT DETECTED]
+}
+
+struct buffers
+{
+  char array[50];
+  char* pointer;
+};
+
+void strncat_test3(char* s, struct buffers* buffers) {
+  unsigned len_array = strlen(buffers->array);
+  unsigned max_size = sizeof(buffers->array);
+  unsigned free_size = max_size - len_array;
+  strncat(buffers->array, s, free_size); // BAD
+}
+
+#define MAX_SIZE 80
+
+void strncat_test4(char *s) {
+  char buf[MAX_SIZE];
+  strncat(buf, s, MAX_SIZE - strlen(buf) - 1); // GOOD
+  strncat(buf, s, MAX_SIZE - strlen(buf));  // BAD
+  strncat(buf, "...", MAX_SIZE - strlen(buf)); // BAD
+}
+
+void strncat_test5(char *s) {
+  int len = 80;
+  char* buf = (char *) malloc(len + 1);
+  strncat(buf, s, len - strlen(buf) - 1); // GOOD
+  strncat(buf, s, len - strlen(buf)); // GOOD
+}