hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

CPP: Update qhelp.

Browse Source
This commit is contained in:
Geoffrey White
2019-01-29 11:17:58 +00:00
parent 87a25f0cbe
commit f7e7737789
2 changed files with 11 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.qhelp
View File

@@ -3,13 +3,12 @@
"qhelp.dtd">
<qhelp>
<overview>
<p>This rule highlights potentially overflowing calls to the functions <code>sprintf</code>, <code>vsprintf</code>, and <code>gets</code> with a warning.
These functions allow unbounded writes to buffers, which may cause an overflow when used on untrusted data or without adequate checks on the size of the data. Function calls of this type constitute a security risk through buffer overflows. The <code>gets</code> function, in particular,
is one of the vulnerabilities exploited by the Internet Worm of 1988, one of the first computer worms to spread through the Internet.</p>
<p>This rule highlights potentially overflowing calls to the functions <code>sprintf</code> and <code>vsprintf</code> with a warning.
These functions allow unbounded writes to buffers, which may cause an overflow when used on untrusted data or without adequate checks on the size of the data. Function calls of this type constitute a security risk through buffer overflows.
</overview>
<recommendation>
<p>Always control the length of buffer copy and buffer write operations. Use the safer variants <code>snprintf</code>, <code>vsnprintf</code>, and <code>fgets</code>, which include an extra buffer length argument.</p>
<p>Always control the length of buffer copy and buffer write operations. Use the safer variants <code>snprintf</code> and <code>vsnprintf</code>, which include an extra buffer length argument.</p>
</recommendation>
<example>
@@ -18,7 +17,6 @@ is one of the vulnerabilities exploited by the Internet Worm of 1988, one of the
<p>To improve the security of this example code, three changes should be made:</p>
<ol>
<li>Introduce a preprocessor define for the size of the buffer.</li>
<li>Replace the call to <code>gets</code> with <code>fgets</code>, specifying the define as the maximum length to copy. This will prevent the buffer overflow.</li>
<li>Replace both calls to <code>sprintf</code> with <code>snprintf</code>, specifying the define as the maximum length to copy. This will prevent the buffer overflow.</li>
<li>Consider using the %g format specifier instead of %f.</li>
</ol>
@@ -33,8 +31,6 @@ Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/STR31-
that storage for strings has sufficient space for character data and
the null terminator</a>.</li>
<li>M. Howard, D. Leblanc, J. Viega, <i>19 Deadly Sins of Software Security: Programming Flaws and How to Fix Them</i>, McGraw-Hill Osborne, 2005.</li>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Morris_worm">Morris worm</a>.</li>
<li>E. Spafford. <i>The Internet Worm Program: An Analysis</i>. Purdue Technical Report CSD-TR-823, <a href="http://www.textfiles.com/100/tr823.txt">(online)</a>, 1988.</li>
</references>

12
cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.qhelp
View File

@@ -5,9 +5,11 @@
<overview>
<p>This rule finds calls to functions that are dangerous to
use. Currently, it checks for calls
to <code>gmtime</code>. See <strong>Related rules</strong>
to <code>gets</code> and <code>gmtime</code>. See <strong>Related rules</strong>
below for rules that identify other dangerous functions.</p>
<p>The <code>gets</code> function is one of the vulnerabilities exploited by the Internet Worm of 1988, one of the first computer worms to spread through the Internet.</p>
<p>The <code>gmtime</code> function fills data into a <code>tm</code>
struct in shared memory and then returns a pointer to that struct. If
the function is called from multiple places in the same program, and
@@ -17,7 +19,9 @@ then the calls will overwrite each other's data.</p>
</overview>
<recommendation>
<p>It is safer to use <code>gmtime_r</code>.
<p>Replace calls to <code>gets</code> with <code>fgets</code>, specifying the maximum length to copy. This will prevent the buffer overflow.</p>
<p>Replace calls to <code>gmtime</code> with <code>gmtime_r</code>.
With <code>gmtime_r</code>, the application code manages allocation of
the <code>tm</code> struct. That way, separate calls to the function
can use their own storage.</p>
@@ -48,7 +52,7 @@ rules for the following CWEs:</p>
</section>
<references>
<li>Wikipedia: <a href="http://en.wikipedia.org/wiki/Morris_worm">Morris worm</a>.</li>
<li>E. Spafford. <i>The Internet Worm Program: An Analysis</i>. Purdue Technical Report CSD-TR-823, <a href="http://www.textfiles.com/100/tr823.txt">(online)</a>, 1988.</li>
</references>
</qhelp>