From 66077dc38d4c57a78575542db19ca8fc64832d79 Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Tue, 4 Jun 2024 11:13:10 +0200 Subject: [PATCH 1/2] C++: Ignore `gets`'es with incorrect parameter counts --- .../src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql | 3 ++- .../CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c | 2 +- .../CWE-676/semmle/PotentiallyDangerousFunction/test.cpp | 7 +++++++ 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp diff --git a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql index 3f511069271..76382b200af 100644 --- a/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql +++ b/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql @@ -17,5 +17,6 @@ import cpp from FunctionCall call, Function target where call.getTarget() = target and - target.hasGlobalOrStdName("gets") + target.hasGlobalOrStdName("gets") and + target.getNumberOfParameters() = 1 select call, "'gets' does not guard against buffer overflow." diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c index 0de048210d6..34ca23748c8 100644 --- a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.c @@ -36,7 +36,7 @@ char *gets(char *s); void testGets() { char buf1[1024]; - char buf2 = malloc(1024); + char *buf2 = malloc(1024); char *s; gets(buf1); // BAD: use of gets diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp new file mode 100644 index 00000000000..a50478f7ed6 --- /dev/null +++ b/cpp/ql/test/query-tests/Security/CWE/CWE-676/semmle/PotentiallyDangerousFunction/test.cpp @@ -0,0 +1,7 @@ +char *gets(); + +void testOtherGets() { + char *s; + + s = gets(); // GOOD: this is not the gets from stdio.h +} From 6f8449cf7552631c16420f38991f00363aa03e4f Mon Sep 17 00:00:00 2001 From: Jeroen Ketema Date: Wed, 5 Jun 2024 10:05:13 +0200 Subject: [PATCH 2/2] C++: Add change note --- cpp/ql/src/change-notes/2014-06-05-gets-parameter.md | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 cpp/ql/src/change-notes/2014-06-05-gets-parameter.md diff --git a/cpp/ql/src/change-notes/2014-06-05-gets-parameter.md b/cpp/ql/src/change-notes/2014-06-05-gets-parameter.md new file mode 100644 index 00000000000..e64f5d180eb --- /dev/null +++ b/cpp/ql/src/change-notes/2014-06-05-gets-parameter.md @@ -0,0 +1,4 @@ +--- +category: minorAnalysis +--- +* The `cpp/dangerous-function-overflow` no longer produces a false positive alert when the `gets` function does not have exactly one parameter.