Add files via upload

2026-04-30 19:26:02 +02:00 · 2021-01-25 00:30:35 +03:00
parent 69664535b0
commit 9ae503a5a8
3 changed files with 65 additions and 0 deletions
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.c
@@ -0,0 +1,9 @@
+// BAD: if buffer does not have a terminal zero, then access outside the allocated memory is possible.
+
+buffer[strlen(buffer)] = 0;
+
+
+// GOOD: we will eliminate dangerous behavior if we use a different method of calculating the length. 
+size_t len;
+...
+buffer[len] = 0
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qhelp
@@ -0,0 +1,31 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Potentially dangerous use of the strlen function to calculate the length of a string.
+The expression <code>buffer[strlen(buffer)] = 0</code> is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+If terminal zero is present, then the specified expression is meaningless.</p>
+
+<p>False positives include heavily nested strlen. This situation is unlikely.</p>
+
+</overview>
+<recommendation>
+
+<p>We recommend using another method for calculating the string length</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of the strlen function.</p>
+<sample src="AccessOfMemoryLocationAfterEndOfBuffer.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string">STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string</a>.
+</li>
+
+</references>
+</qhelp>
--- a/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
@@ -0,0 +1,25 @@
+/**
+ * @name Access Of Memory Location After End Of Buffer
+ * @description --The expression buffer [strlen (buffer)] = 0 is potentially dangerous, if the variable buffer does not have a terminal zero, then access beyond the bounds of the allocated memory is possible, which will lead to undefined behavior.
+ *              --If terminal zero is present, then the specified expression is meaningless.
+ *              --We recommend using another method for calculating the string length.
+ * @kind problem
+ * @id cpp/access-memory-location-after-end-buffer
+ * @problem.severity warning
+ * @precision medium
+ * @tags correctness
+ *       security
+ *       external/cwe/cwe-788
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.HashCons
+
+from FunctionCall fc, AssignExpr expr, ArrayExpr exprarr
+where
+  fc.getTarget().hasGlobalOrStdName("strlen") and
+  exprarr = expr.getLValue() and
+  expr.getRValue().getValue().toInt() = 0 and
+  exprarr.getArrayOffset() = fc and
+  hashCons(fc.getArgument(0)) = hashCons(exprarr.getArrayBase())
+select expr, "use a different method to calculate the length."