Merge branch 'main' into ihsinme-patch-221

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-14/semmle/tests/CompilerRemovalOfCodeToClearBuffers.expected

@@ -0,0 +1,3 @@
+| test.c:13:9:13:13 | buff1 | This variable will not be cleared. |
+| test.c:35:9:35:13 | buff1 | This variable will not be cleared. |
+| test.c:43:9:43:13 | buff1 | This variable will not be cleared. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-14/semmle/tests/CompilerRemovalOfCodeToClearBuffers.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-14/CompilerRemovalOfCodeToClearBuffers.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-14/semmle/tests/test.c

@@ -0,0 +1,201 @@
+struct buffers
+{
+    unsigned char buff1[50];
+    unsigned char *buff2;
+} globalBuff1,*globalBuff2;
+
+unsigned char * globalBuff;
+void badFunc0_0(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+}
+void nobadFunc0_0(){
+	unsigned char buff1[12];
+	memset(buff1,12,12);
+}
+void nobadFunc0_1(){
+	unsigned char buff1[12];
+	int i;
+	memset(buff1,12,12);
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	free(buff1);
+}
+void nobadFunc1_0(){
+	unsigned char * buff1;
+	buff1 = (unsigned char *) malloc(12);
+	memset(buff1,12,12);
+}
+void badFunc1_0(){
+	unsigned char * buff1;
+	buff1 = (unsigned char *) malloc(12);
+	memset(buff1,12,12);
+	free(buff1);
+}
+void badFunc1_1(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;	
+	memset(buff1,12,12);
+	free(buff1);
+}
+void nobadFunc2_0_0(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	printf(buff1);
+}
+
+void nobadFunc2_0_1(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	printf(buff1+3);
+}
+
+void nobadFunc2_0_2(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	printf(*buff1);
+}
+
+void nobadFunc2_0_3(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	printf(*(buff1+3));
+}
+unsigned char * nobadFunc2_0_4(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	return buff1;
+}
+
+unsigned char * nobadFunc2_0_5(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	return buff1+3;
+}
+unsigned char nobadFunc2_0_6(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	return *buff1;
+}
+
+unsigned char nobadFunc2_0_7(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	return *(buff1+3);
+}
+void nobadFunc2_1_0(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	if(*buff1==0)
+		printf("123123");
+}
+void nobadFunc2_1_1(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	if(*(buff1+3)==0)
+		printf("123123");
+}
+void nobadFunc2_1_2(){
+	unsigned char buff1[12];
+	int i;
+	for(i=0;i<12;i++)
+		buff1[i]=13;
+	memset(buff1,12,12);
+	buff1[2]=5;
+}
+void nobadFunc3_0(unsigned char * buffAll){
+	unsigned char * buff1 = buffAll;
+	memset(buff1,12,12);
+}
+void nobadFunc3_1(unsigned char * buffAll){
+	unsigned char * buff1 = buffAll+3;
+	memset(buff1,12,12);
+}
+void nobadFunc3_2(struct buffers buffAll){
+	unsigned char * buff1 = buffAll.buff1;
+	memset(buff1,12,12);
+}
+void nobadFunc3_3(struct buffers buffAll){
+	unsigned char * buff1 = buffAll.buff2;
+	memset(buff1,12,12);
+}
+void nobadFunc3_4(struct buffers buffAll){
+	unsigned char * buff1 = buffAll.buff2+3;
+	memset(buff1,12,12);
+}
+void nobadFunc3_5(struct buffers * buffAll){
+	unsigned char * buff1 = buffAll->buff1;
+	memset(buff1,12,12);
+}
+void nobadFunc3_6(struct buffers *buffAll){
+	unsigned char * buff1 = buffAll->buff2;
+	memset(buff1,12,12);
+}
+void nobadFunc4(){
+	unsigned char * buff1 = globalBuff;
+	memset(buff1,12,12);
+}
+void nobadFunc4_0(){
+	unsigned char * buff1 = globalBuff;
+	memset(buff1,12,12);
+}
+void nobadFunc4_1(){
+	unsigned char * buff1 = globalBuff+3;
+	memset(buff1,12,12);
+}
+void nobadFunc4_2(){
+	unsigned char * buff1 = globalBuff1.buff1;
+	memset(buff1,12,12);
+}
+void nobadFunc4_3(){
+	unsigned char * buff1 = globalBuff1.buff2;
+	memset(buff1,12,12);
+}
+void nobadFunc4_4(){
+	unsigned char * buff1 = globalBuff1.buff2+3;
+	memset(buff1,12,12);
+}
+void nobadFunc4_5(){
+	unsigned char * buff1 = globalBuff2->buff1;
+	memset(buff1,12,12);
+}
+void nobadFunc4_6(){
+	unsigned char * buff1 = globalBuff2->buff2;
+	memset(buff1,12,12);
+}
+

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-359/semmle/tests/PrivateCleartextWrite.expected

@@ -13,9 +13,9 @@ nodes
 | test.cpp:96:37:96:46 | theZipcode | semmle.label | theZipcode |
 | test.cpp:99:42:99:51 | theZipcode | semmle.label | theZipcode |
 #select
-| test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
-| test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
-| test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
-| test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
-| test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
-| test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |
+| test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | test.cpp:57:9:57:18 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:57:9:57:18 | theZipcode | this source. |
+| test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | test.cpp:74:24:74:30 | medical | This write into the external location 'medical' may contain unencrypted data from $@ | test.cpp:74:24:74:30 | medical | this source. |
+| test.cpp:78:24:78:27 | temp | test.cpp:77:16:77:22 | medical | test.cpp:78:24:78:27 | temp | This write into the external location 'temp' may contain unencrypted data from $@ | test.cpp:77:16:77:22 | medical | this source. |
+| test.cpp:82:24:82:28 | buff5 | test.cpp:81:22:81:28 | medical | test.cpp:82:24:82:28 | buff5 | This write into the external location 'buff5' may contain unencrypted data from $@ | test.cpp:81:22:81:28 | medical | this source. |
+| test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | test.cpp:96:37:96:46 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:96:37:96:46 | theZipcode | this source. |
+| test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | test.cpp:99:42:99:51 | theZipcode | This write into the external location 'theZipcode' may contain unencrypted data from $@ | test.cpp:99:42:99:51 | theZipcode | this source. |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/MemoryLeakOnFailedCallToRealloc.expected

@@ -2,3 +2,7 @@
 | test.c:63:29:63:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:139:29:139:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
 | test.c:186:29:186:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:282:29:282:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:299:26:299:32 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:328:29:328:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |
+| test.c:342:29:342:35 | call to realloc | possible loss of original pointer on unsuccessful call realloc |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-401/semmle/tests/test.c

@@ -2,7 +2,7 @@
 #define NULL ((void*)0)
 
 #define assert(x) if (!(x)) __assert_fail(#x,__FILE__,__LINE__)
-void __assert_fail(const char *assertion, const char *file, int line) {  }
+void __assert_fail(const char *assertion, const char *file, int line);
 
 void aFakeFailed_1(int file, int line)
 {
@@ -272,3 +272,75 @@ unsigned char * noBadResize_2_7(unsigned char * buffer,size_t currentSize,size_t
 	myASSERT_2(buffer);
 	return buffer;
 }
+
+unsigned char *goodResize_3_1(unsigned char *buffer, size_t currentSize, size_t newSize)
+{
+	// GOOD: this way we will exclude possible memory leak [FALSE POSITIVE]
+	unsigned char *tmp = buffer;
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+		if (buffer == NULL)
+		{
+			free(tmp);
+			return NULL;
+		} 
+	}
+
+	return buffer;
+}
+
+unsigned char *goodResize_3_2(unsigned char *buffer, size_t currentSize, size_t newSize)
+{
+	// GOOD: this way we will exclude possible memory leak [FALSE POSITIVE]
+	unsigned char *tmp = buffer;
+	if (currentSize < newSize)
+	{
+		tmp = (unsigned char *)realloc(tmp, newSize);
+		if (tmp != 0)
+		{
+			buffer = tmp;
+		} 
+	}
+
+	return buffer;
+}
+
+void abort(void);
+
+unsigned char *noBadResize_4_1(unsigned char *buffer, size_t currentSize, size_t newSize)
+{
+	// GOOD: program to end
+	if (currentSize < newSize)
+	{
+		if (buffer = (unsigned char *)realloc(buffer, newSize))
+			abort();
+	}
+
+	return buffer;
+}
+
+unsigned char * badResize_5_2(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+	}
+	if (cond)
+	{
+		abort(); // irrelevant
+	}
+	return buffer;
+}
+
+unsigned char * badResize_5_1(unsigned char *buffer, size_t currentSize, size_t newSize, int cond)
+{
+	// BAD: on unsuccessful call to realloc, we will lose a pointer to a valid memory block
+	if (currentSize < newSize)
+	{
+		buffer = (unsigned char *)realloc(buffer, newSize);
+		assert(cond); // irrelevant
+	}
+	return buffer;
+}

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.expected

@@ -0,0 +1,3 @@
+| test.c:4:3:4:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:11:3:11:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |
+| test.c:19:3:19:9 | call to strncat | if the used buffer is full, writing out of the buffer is possible |

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.qlref

@@ -0,0 +1 @@
+experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrncat.ql

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-788/semmle/tests/test.c

@@ -0,0 +1,28 @@
+void workFunction_0(char *s) {
+  char buf[80];
+  strncat(buf, s, sizeof(buf)-strlen(buf)-1); // GOOD
+  strncat(buf, s, sizeof(buf)-strlen(buf));  // BAD
+  strncat(buf, "fix", sizeof(buf)-strlen(buf)); // BAD [NOT DETECTED] 
+}
+void workFunction_1(char *s) {
+#define MAX_SIZE 80
+  char buf[MAX_SIZE];
+  strncat(buf, s, MAX_SIZE-strlen(buf)-1); // GOOD
+  strncat(buf, s, MAX_SIZE-strlen(buf));  // BAD
+  strncat(buf, "fix", MAX_SIZE-strlen(buf)); // BAD [NOT DETECTED]
+}
+void workFunction_2_0(char *s) {
+  char * buf;
+  int len=80;
+  buf = (char *) malloc(len);
+  strncat(buf, s, len-strlen(buf)-1); // GOOD
+  strncat(buf, s, len-strlen(buf));  // BAD
+  strncat(buf, "fix", len-strlen(buf)); // BAD [NOT DETECTED]
+}
+void workFunction_2_1(char *s) {
+  char * buf;
+  int len=80;
+  buf = (char *) malloc(len+1);
+  strncat(buf, s, len-strlen(buf)-1); // GOOD
+  strncat(buf, s, len-strlen(buf));  // GOOD
+}