diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.cpp b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.cpp index 432f144b4bb..4928db37a17 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.cpp +++ b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.cpp @@ -1,10 +1,10 @@ ... - r = scanf("%i", i); + r = scanf("%i", &i); if (r == 1) // GOOD return i; else return -1; ... - scanf("%i", i); // BAD + scanf("%i", &i); // BAD return i; ... diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql index 4dc141be247..67eebb62bb9 100644 --- a/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql +++ b/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql @@ -1,5 +1,5 @@ /** - * @name Improper check return value scanf. + * @name Improper check return value scanf * @description Using a function call without the ability to evaluate the correctness of the work can lead to unexpected results. * @kind problem * @id cpp/improper-check-return-value-scanf @@ -15,20 +15,16 @@ import cpp import semmle.code.cpp.commons.Exclusions import semmle.code.cpp.valuenumbering.GlobalValueNumbering -/** Returns the starting position of the argument being filled. */ +/** Returns the position of the first argument being filled. */ int posArgumentInFunctionCall(FunctionCall fc) { ( ( - fc.getTarget().hasGlobalOrStdName("scanf") or - fc.getTarget().hasGlobalOrStdName("scanf_s") + fc.getTarget().hasGlobalOrStdName(["scanf", "scanf_s"]) ) and result = 1 or ( - fc.getTarget().hasGlobalOrStdName("fscanf") or - fc.getTarget().hasGlobalOrStdName("sscanf") or - fc.getTarget().hasGlobalOrStdName("fscanf_s") or - fc.getTarget().hasGlobalOrStdName("sscanf_s") + fc.getTarget().hasGlobalOrStdName(["fscanf", "sscanf", "fscanf_s", "sscanf_s"]) ) and result = 2 ) diff --git a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp index 4389cb506a2..588100e5b78 100644 --- a/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp +++ b/cpp/ql/test/experimental/query-tests/Security/CWE/CWE-754/semmle/tests/test.cpp @@ -2,7 +2,7 @@ int scanf(const char *format, ...); int globalVal; int functionWork1() { int i; - if (scanf("%i", i) == 1) // GOOD + if (scanf("%i", &i) == 1) // GOOD return i; else return -1; @@ -11,7 +11,7 @@ int functionWork1() { int functionWork1_() { int i; int r; - r = scanf("%i", i); + r = scanf("%i", &i); if (r == 1) // GOOD return i; else @@ -20,25 +20,25 @@ int functionWork1_() { int functionWork1b() { int i; - scanf("%i", i); // BAD + scanf("%i", &i); // BAD return i; } int functionWork2() { int i = 0; - scanf("%i", i); // GOOD:the error can be determined by examining the initial value. + scanf("%i", &i); // GOOD:the error can be determined by examining the initial value. return i; } int functionWork2_() { int i; i = 0; - scanf("%i", i); // GOOD:the error can be determined by examining the initial value. + scanf("%i", &i); // GOOD:the error can be determined by examining the initial value. return i; } int functionWork2b() { int i; - scanf("%i", i); // BAD + scanf("%i", &i); // BAD globalVal = i; return 0; }