Merge pull request #5011 from ihsinme/ihsinme-patch-221

CPP: add query for CWE-788 Access of memory location after the end of a buffer using strlen.
2026-05-05 05:35:13 +02:00 · 2021-02-04 14:25:27 +01:00
parent 9b39163411 b7df18b97e
commit d3d56fb0af
6 changed files with 129 additions and 0 deletions
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.expected
@@ -0,0 +1,9 @@
+| test.c:42:3:42:24 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:43:3:43:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:44:3:44:40 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:45:3:45:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:46:3:46:44 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:47:3:47:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:48:3:48:48 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:49:3:49:50 | ... = ... | potential unsafe or redundant assignment. |
+| test.c:50:3:50:50 | ... = ... | potential unsafe or redundant assignment. |
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.qlref
@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
--- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
+++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c
@@ -26,3 +26,48 @@ void workFunction_2_1(char *s) {
  strncat(buf, s, len-strlen(buf)-1); // GOOD
  strncat(buf, s, len-strlen(buf));  // GOOD
 }
+
+struct buffers
+{
+    unsigned char buff1[50];
+    unsigned char *buff2;
+} globalBuff1,*globalBuff2,globalBuff1_c,*globalBuff2_c;
+
+
+void badFunc0(){
+  unsigned char buff1[12];
+  struct buffers buffAll;
+  struct buffers * buffAll1;
+  
+  buff1[strlen(buff1)]=0; // BAD
+  buffAll.buff1[strlen(buffAll.buff1)]=0; // BAD
+  buffAll.buff2[strlen(buffAll.buff2)]=0; // BAD
+  buffAll1->buff1[strlen(buffAll1->buff1)]=0; // BAD
+  buffAll1->buff2[strlen(buffAll1->buff2)]=0; // BAD
+  globalBuff1.buff1[strlen(globalBuff1.buff1)]=0; // BAD
+  globalBuff1.buff2[strlen(globalBuff1.buff2)]=0; // BAD
+  globalBuff2->buff1[strlen(globalBuff2->buff1)]=0; // BAD
+  globalBuff2->buff2[strlen(globalBuff2->buff2)]=0; // BAD
+}
+void noBadFunc0(){
+  unsigned char buff1[12],buff1_c[12];
+  struct buffers buffAll,buffAll_c;
+  struct buffers * buffAll1,*buffAll1_c;
+  
+  buff1[strlen(buff1_c)]=0; // GOOD
+  buffAll.buff1[strlen(buffAll_c.buff1)]=0; // GOOD
+  buffAll.buff2[strlen(buffAll.buff1)]=0; // GOOD
+  buffAll1->buff1[strlen(buffAll1_c->buff1)]=0; // GOOD
+  buffAll1->buff2[strlen(buffAll1->buff1)]=0; // GOOD
+  globalBuff1.buff1[strlen(globalBuff1_c.buff1)]=0; // GOOD
+  globalBuff1.buff2[strlen(globalBuff1.buff1)]=0; // GOOD
+  globalBuff2->buff1[strlen(globalBuff2_c->buff1)]=0; // GOOD
+  globalBuff2->buff2[strlen(globalBuff2->buff1)]=0; // GOOD
+}
+void goodFunc0(){
+  unsigned char buffer[12];
+  int i;
+  for(i = 0; i < 6; i++)
+    buffer[i] = 'A';
+  buffer[i]=0;
+}
				`@@ -0,0 +1 @@`
				`experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql`