Merge pull request #10562 from rdmarsh2/rdmarsh2/cpp/field-off-by-one

C++: prototype for off-by-one in array-typed field
2026-04-30 11:15:13 +02:00 · 2022-10-06 11:04:12 +01:00
parent 5b67ba2939 32d0b58923
commit a856bc8678
6 changed files with 271 additions and 0 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected
@@ -0,0 +1,37 @@
+edges
+| test.cpp:66:32:66:32 | p | test.cpp:66:32:66:32 | Load |
+| test.cpp:66:32:66:32 | p | test.cpp:67:5:67:6 | * ... |
+| test.cpp:66:32:66:32 | p | test.cpp:67:6:67:6 | Load |
+| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
+| test.cpp:77:26:77:44 | & ... | test.cpp:66:32:66:32 | p |
+| test.cpp:77:27:77:44 | access to array | test.cpp:77:26:77:44 | & ... |
+nodes
+| test.cpp:35:5:35:22 | access to array | semmle.label | access to array |
+| test.cpp:36:5:36:24 | access to array | semmle.label | access to array |
+| test.cpp:43:9:43:19 | access to array | semmle.label | access to array |
+| test.cpp:49:5:49:22 | access to array | semmle.label | access to array |
+| test.cpp:50:5:50:24 | access to array | semmle.label | access to array |
+| test.cpp:57:9:57:19 | access to array | semmle.label | access to array |
+| test.cpp:61:9:61:19 | access to array | semmle.label | access to array |
+| test.cpp:66:32:66:32 | Load | semmle.label | Load |
+| test.cpp:66:32:66:32 | p | semmle.label | p |
+| test.cpp:66:32:66:32 | p | semmle.label | p |
+| test.cpp:67:5:67:6 | * ... | semmle.label | * ... |
+| test.cpp:67:6:67:6 | Load | semmle.label | Load |
+| test.cpp:72:5:72:15 | access to array | semmle.label | access to array |
+| test.cpp:77:26:77:44 | & ... | semmle.label | & ... |
+| test.cpp:77:27:77:44 | access to array | semmle.label | access to array |
+subpaths
+#select
+| test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | test.cpp:35:5:35:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:35:5:35:26 | Store: ... = ... | write |
+| test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | test.cpp:36:5:36:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:36:5:36:28 | Store: ... = ... | write |
+| test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | test.cpp:43:9:43:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:43:9:43:23 | Store: ... = ... | write |
+| test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | test.cpp:49:5:49:22 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:49:5:49:26 | Store: ... = ... | write |
+| test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | test.cpp:50:5:50:24 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:50:5:50:28 | Store: ... = ... | write |
+| test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | test.cpp:57:9:57:19 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:57:9:57:23 | Store: ... = ... | write |
+| test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | test.cpp:61:9:61:19 | access to array | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:19:9:19:11 | buf | buf | test.cpp:61:9:61:23 | Store: ... = ... | write |
+| test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:5:67:6 | * ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
+| test.cpp:77:27:77:44 | access to array | test.cpp:77:27:77:44 | access to array | test.cpp:67:6:67:6 | Load | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/test.cpp
@@ -0,0 +1,80 @@
+#define MAX_SIZE 1024
+
+struct ZeroArray {
+    int size;
+    int buf[0];
+};
+
+struct OneArray {
+    int size;
+    int buf[1];
+};
+
+struct BigArray {
+    int size;
+    int buf[MAX_SIZE];
+};
+
+struct ArrayAndFields {
+    int buf[MAX_SIZE];
+    int field1;
+    int field2;
+};
+
+// tests for dynamic-size trailing arrays
+void testZeroArray(ZeroArray *arr) {
+    arr->buf[0] = 0;
+}
+
+void testOneArray(OneArray *arr) {
+    arr->buf[1] = 0;
+}
+
+void testBig(BigArray *arr) {
+    arr->buf[MAX_SIZE-1] = 0; // GOOD
+    arr->buf[MAX_SIZE] = 0;   // BAD
+    arr->buf[MAX_SIZE+1] = 0; // BAD
+
+    for(int i = 0; i < MAX_SIZE; i++) {
+        arr->buf[i] = 0; // GOOD
+    }
+    
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        arr->buf[i] = 0; // BAD
+    }
+}
+
+void testFields(ArrayAndFields *arr) {
+    arr->buf[MAX_SIZE-1] = 0; // GOOD
+    arr->buf[MAX_SIZE] = 0;   // BAD?
+    arr->buf[MAX_SIZE+1] = 0; // BAD?
+
+    for(int i = 0; i < MAX_SIZE; i++) {
+        arr->buf[i] = 0; // GOOD
+    }
+    
+    for(int i = 0; i <= MAX_SIZE; i++) {
+        arr->buf[i] = 0; // BAD?
+    }
+
+    for(int i = 0; i < MAX_SIZE+2; i++) {
+        arr->buf[i] = 0; // BAD?
+    }
+    // is this different if it's a memcpy?
+}
+
+void assignThroughPointer(int *p) {
+    *p = 0; // ??? should the result go at a flow source?
+}
+
+void addToPointerAndAssign(int *p) {
+    p[MAX_SIZE-1] = 0; // GOOD
+    p[MAX_SIZE] = 0; // BAD
+}
+
+void testInterproc(BigArray *arr) {
+    assignThroughPointer(&arr->buf[MAX_SIZE-1]); // GOOD
+    assignThroughPointer(&arr->buf[MAX_SIZE]); // BAD
+
+    addToPointerAndAssign(arr->buf);
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql`