hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use Strcpy.qll in StrncpyFlippedArgs.ql

Browse Source 
As a result, the query gets access to more types of strncpy-like
functions, as demonstrated by test.cpp, which now "fails" (i.e. works) for the new test
cases instroduced
in the previous commit.
This commit is contained in:
Nora Dimitrijević
2022-08-09 15:59:41 +02:00
parent 554aea1bb8
commit df419003ad
2 changed files with 8 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
View File

@@ -18,6 +18,7 @@
import cpp import cpp
import Buffer import Buffer
private import semmle.code.cpp.valuenumbering.GlobalValueNumbering private import semmle.code.cpp.valuenumbering.GlobalValueNumbering
private import semmle.code.cpp.models.implementations.Strcpy
predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) { predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) {
// baseSize // baseSize
@@ -41,33 +42,6 @@ predicate isSizePlus(Expr e, BufferSizeExpr baseSize, int plus) {
) )
} }
predicate strncpyFunction(Function f, int argDest, int argSrc, int argLimit) {
exists(string name | name = f.getName() |
name =
[
"strcpy_s", // strcpy_s(dst, max_amount, src)
"wcscpy_s", // wcscpy_s(dst, max_amount, src)
"_mbscpy_s" // _mbscpy_s(dst, max_amount, src)
] and
argDest = 0 and
argSrc = 2 and
argLimit = 1
or
name =
[
"strncpy", // strncpy(dst, src, max_amount)
"strncpy_l", // strncpy_l(dst, src, max_amount, locale)
"wcsncpy", // wcsncpy(dst, src, max_amount)
"_wcsncpy_l", // _wcsncpy_l(dst, src, max_amount, locale)
"_mbsncpy", // _mbsncpy(dst, src, max_amount)
"_mbsncpy_l" // _mbsncpy_l(dst, src, max_amount, locale)
] and
argDest = 0 and
argSrc = 1 and
argLimit = 2
)
}
string nthString(int num) { string nthString(int num) {
num = 0 and num = 0 and
result = "first" result = "first"
@@ -96,11 +70,13 @@ int arrayExprFixedSize(Expr e) {
} }
from from
Function f, FunctionCall fc, int argDest, int argSrc, int argLimit, int charSize, Access copyDest, StrcpyFunction f, FunctionCall fc, int argDest, int argSrc, int argLimit, int charSize, Access copyDest,
Access copySource, string name, string nth Access copySource, string name, string nth
where where
f = fc.getTarget() and f = fc.getTarget() and
strncpyFunction(f, argDest, argSrc, argLimit) and argDest = f.getParamDest() and
argSrc = f.getParamSrc() and
argLimit = f.getParamSize() and
copyDest = fc.getArgument(argDest) and copyDest = fc.getArgument(argDest) and
copySource = fc.getArgument(argSrc) and copySource = fc.getArgument(argSrc) and
// Some of the functions operate on a larger char type, like `wchar_t`, so we // Some of the functions operate on a larger char type, like `wchar_t`, so we

6
cpp/ql/test/query-tests/Likely Bugs/Memory Management/StrncpyFlippedArgs/test.cpp
View File

@@ -102,10 +102,10 @@ void test9()
wchar_t buf2[20]; wchar_t buf2[20];
const wchar_t *str = L"01234567890123456789"; const wchar_t *str = L"01234567890123456789";
wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // (bad, but not a strncpyflippedargs bug) wcsxfrm_l(buf1, str, sizeof(buf1), nullptr); // BAD (but not a StrncpyFlippedArgs bug)
wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr); wcsxfrm_l(buf1, str, sizeof(buf1) / sizeof(wchar_t), nullptr); // GOOD
wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD wcsxfrm_l(buf1, str, wcslen(str), nullptr); // BAD
wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD wcsxfrm_l(buf1, str, wcslen(str) + 1, nullptr); // BAD
wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD wcsxfrm_l(buf1, buf2, sizeof(buf2), nullptr); // BAD
wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD [NOT DETECTED] wcsxfrm_l(buf1, buf2, sizeof(buf2) / sizeof(wchar_t), nullptr); // BAD
} }