hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity

C++: Fix flow for return values of strlcat and strlcpy

Browse Source
This commit is contained in:
Jeroen Ketema
2023-11-10 12:28:48 +01:00
parent e4c8406365
commit 5e21a5d284
2 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
View File

@@ -96,7 +96,7 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
/** /**
* The `strlcat` function. * The `strlcat` function.
*/ */
class StrlcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction { class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
StrlcatFunction() { StrlcatFunction() {
this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size) this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
} }
@@ -116,11 +116,6 @@ class StrlcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Si
*/ */
int getParamDest() { result = 0 } int getParamDest() { result = 0 }
override predicate hasDataFlow(FunctionInput input, FunctionOutput output) {
input.isParameter(0) and
output.isReturnValue()
}
override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
( (
input.isParameter(2) input.isParameter(2)
@@ -129,7 +124,7 @@ class StrlcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Si
or or
input.isParameterDeref(1) input.isParameterDeref(1)
) and ) and
(output.isParameterDeref(0) or output.isReturnValueDeref()) (output.isParameterDeref(0) or output.isReturnValue())
} }
override predicate hasArrayInput(int param) { override predicate hasArrayInput(int param) {

13
cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
View File

@@ -54,6 +54,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
*/ */
private predicate isSVariant() { this.getName().matches("%\\_s") } private predicate isSVariant() { this.getName().matches("%\\_s") }
/**
* Holds if the function returns the total length the string would have had if the size was unlimited.
*/
private predicate returnsTotalLength() { this.getName() = "strlcpy" }
/** /**
* Gets the index of the parameter that is the maximum size of the copy (in characters). * Gets the index of the parameter that is the maximum size of the copy (in characters).
*/ */
@@ -61,7 +66,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
if this.isSVariant() if this.isSVariant()
then result = 1 then result = 1
else ( else (
this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "%lcpy%"]) and this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
result = 2 result = 2
) )
} }
@@ -101,6 +106,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
input.isParameterDeref(this.getParamSrc()) and input.isParameterDeref(this.getParamSrc()) and
output.isReturnValueDeref() output.isReturnValueDeref()
or or
not this.returnsTotalLength() and
input.isParameter(this.getParamDest()) and input.isParameter(this.getParamDest()) and
output.isReturnValue() output.isReturnValue()
} }
@@ -111,8 +117,9 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
exists(this.getParamSize()) and exists(this.getParamSize()) and
input.isParameterDeref(this.getParamSrc()) and input.isParameterDeref(this.getParamSrc()) and
( (
output.isParameterDeref(this.getParamDest()) or output.isParameterDeref(this.getParamDest())
output.isReturnValueDeref() or
not this.returnsTotalLength() and output.isReturnValueDeref()
) )
} }