CPP: Model strndup.

cpp/ql/src/semmle/code/cpp/models/implementations/Strdup.qll

@@ -43,3 +43,32 @@ class StrdupFunction extends AllocationFunction, ArrayFunction, DataFlowFunction
     output.isReturnValueDeref()
   }
 }
+
+/**
+ * A `strndup` style allocation function.
+ */
+class StrndupFunction extends AllocationFunction, ArrayFunction, TaintFunction {
+  StrndupFunction() {
+    exists(string name |
+      hasGlobalOrStdName(name) and
+      (
+        // strndup(str, maxlen)
+        name = "strndup"
+      )
+    )
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam = 0 }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    // This function may do only a partial copy of the input buffer to the output
+    // buffer, so it's a taint flow.
+    (
+      input.isParameterDeref(0) or
+      input.isParameter(1)
+    ) and
+    output.isReturnValueDeref()
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -337,9 +337,13 @@
 | taint.cpp:370:13:370:26 | hello, world | taint.cpp:370:6:370:11 | call to strdup | TAINT |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:371:2:371:25 | ... = ... |  |
 | taint.cpp:371:6:371:12 | call to strndup | taint.cpp:374:7:374:7 | c |  |
+| taint.cpp:371:14:371:19 | source | taint.cpp:371:6:371:12 | call to strndup | TAINT |
+| taint.cpp:371:22:371:24 | 100 | taint.cpp:371:6:371:12 | call to strndup | TAINT |
 | taint.cpp:377:23:377:28 | source | taint.cpp:381:30:381:35 | source |  |
 | taint.cpp:381:6:381:12 | call to strndup | taint.cpp:381:2:381:36 | ... = ... |  |
 | taint.cpp:381:6:381:12 | call to strndup | taint.cpp:382:7:382:7 | a |  |
+| taint.cpp:381:14:381:27 | hello, world | taint.cpp:381:6:381:12 | call to strndup | TAINT |
+| taint.cpp:381:30:381:35 | source | taint.cpp:381:6:381:12 | call to strndup | TAINT |
 | taint.cpp:385:27:385:32 | source | taint.cpp:389:13:389:18 | source |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:389:2:389:19 | ... = ... |  |
 | taint.cpp:389:6:389:11 | call to wcsdup | taint.cpp:391:7:391:7 | a |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -371,7 +371,7 @@ void test_strdup(char *source)
 	c = strndup(source, 100);
 	sink(a); // tainted
 	sink(b);
-	sink(c); // tainted [NOT DETECTED]
+	sink(c); // tainted
 }
 
 void test_strndup(int source)
@@ -379,7 +379,7 @@ void test_strndup(int source)
 	char *a;
 
 	a = strndup("hello, world", source);
-	sink(a);
+	sink(a); // tainted
 }
 
 void test_wcsdup(wchar_t *source)

cpp/ql/test/library-tests/dataflow/taint-tests/taint.expected

@@ -38,6 +38,8 @@
 | taint.cpp:351:7:351:7 | a | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:352:7:352:7 | b | taint.cpp:330:6:330:11 | call to source |
 | taint.cpp:372:7:372:7 | a | taint.cpp:365:24:365:29 | source |
+| taint.cpp:374:7:374:7 | c | taint.cpp:365:24:365:29 | source |
+| taint.cpp:382:7:382:7 | a | taint.cpp:377:23:377:28 | source |
 | taint.cpp:391:7:391:7 | a | taint.cpp:385:27:385:32 | source |
 | taint.cpp:423:7:423:7 | a | taint.cpp:422:14:422:19 | call to source |
 | taint.cpp:424:9:424:17 | call to getMember | taint.cpp:422:14:422:19 | call to source |

cpp/ql/test/library-tests/dataflow/taint-tests/test_diff.expected

@@ -25,6 +25,8 @@
 | taint.cpp:351:7:351:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:352:7:352:7 | taint.cpp:330:6:330:11 | AST only |
 | taint.cpp:372:7:372:7 | taint.cpp:365:24:365:29 | AST only |
+| taint.cpp:374:7:374:7 | taint.cpp:365:24:365:29 | AST only |
+| taint.cpp:382:7:382:7 | taint.cpp:377:23:377:28 | AST only |
 | taint.cpp:391:7:391:7 | taint.cpp:385:27:385:32 | AST only |
 | taint.cpp:423:7:423:7 | taint.cpp:422:14:422:19 | AST only |
 | taint.cpp:424:9:424:17 | taint.cpp:422:14:422:19 | AST only |