Merge pull request #14735 from jketema/strl

C++: Add models for `strlcpy` and `strlcat`
2026-04-24 08:15:14 +02:00 · 2023-11-10 17:51:59 +01:00
parent 18c0bcec0b b48d483eba
commit 3a62628938
3 changed files with 79 additions and 4 deletions
--- a/cpp/ql/lib/change-notes/2023-11-10-strlcpy-strlcat-models.md
+++ b/cpp/ql/lib/change-notes/2023-11-10-strlcpy-strlcat-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for `strlcpy` and `strlcat`.
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@@ -10,6 +10,8 @@ import semmle.code.cpp.models.interfaces.SideEffect

 /**
 * The standard function `strcat` and its wide, sized, and Microsoft variants.
+ *
+ * Does not include `strlcat`, which is covered by `StrlcatFunction`
 */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
  StrcatFunction() {
@@ -90,3 +92,64 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
    buffer = true
  }
 }
+
+/**
+ * The `strlcat` function.
+ */
+class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
+  StrlcatFunction() {
+    this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
+  }
+
+  /**
+   * Gets the index of the parameter that is the size of the copy (in characters).
+   */
+  int getParamSize() { result = 2 }
+
+  /**
+   * Gets the index of the parameter that is the source of the copy.
+   */
+  int getParamSrc() { result = 1 }
+
+  /**
+   * Gets the index of the parameter that is the destination to be appended to.
+   */
+  int getParamDest() { result = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameter(2)
+      or
+      input.isParameterDeref(0)
+      or
+      input.isParameterDeref(1)
+    ) and
+    output.isParameterDeref(0)
+  }
+
+  override predicate hasArrayInput(int param) {
+    param = 0 or
+    param = 1
+  }
+
+  override predicate hasArrayOutput(int param) { param = 0 }
+
+  override predicate hasArrayWithNullTerminator(int param) { param = 1 }
+
+  override predicate hasArrayWithUnknownSize(int param) { param = 0 }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and
+    buffer = true and
+    mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    (i = 0 or i = 1) and
+    buffer = true
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -32,7 +32,8 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
        "wcsxfrm_l", // _strxfrm_l(dest, src, max_amount, locale)
        "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
        "stpcpy", // stpcpy(dest, src)
-        "stpncpy" // stpcpy(dest, src, max_amount)
+        "stpncpy", // stpncpy(dest, src, max_amount)
+        "strlcpy" // strlcpy(dst, src, dst_size)
      ])
    or
    (
@@ -53,6 +54,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
   */
  private predicate isSVariant() { this.getName().matches("%\\_s") }

+  /**
+   * Holds if the function returns the total length the string would have had if the size was unlimited.
+   */
+  private predicate returnsTotalLength() { this.getName() = "strlcpy" }
+
  /**
   * Gets the index of the parameter that is the maximum size of the copy (in characters).
   */
@@ -60,7 +66,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    if this.isSVariant()
    then result = 1
    else (
-      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%"]) and
+      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
      result = 2
    )
  }
@@ -100,6 +106,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    input.isParameterDeref(this.getParamSrc()) and
    output.isReturnValueDeref()
    or
+    not this.returnsTotalLength() and
    input.isParameter(this.getParamDest()) and
    output.isReturnValue()
  }
@@ -110,8 +117,9 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    exists(this.getParamSize()) and
    input.isParameterDeref(this.getParamSrc()) and
    (
-      output.isParameterDeref(this.getParamDest()) or
-      output.isReturnValueDeref()
+      output.isParameterDeref(this.getParamDest())
+      or
+      not this.returnsTotalLength() and output.isReturnValueDeref()
    )
  }