-
-
Notifications
You must be signed in to change notification settings - Fork 81
Expand file tree
/
Copy pathoff-by-one.yaml
More file actions
97 lines (97 loc) · 3.69 KB
/
off-by-one.yaml
File metadata and controls
97 lines (97 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
rules:
- id: raptor-off-by-one
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
references:
- https://cwe.mitre.org/data/definitions/193
- https://cwe.mitre.org/data/definitions/787
- https://g.co/kgs/PCHQjJ
- https://github.com/struct/mms
confidence: MEDIUM
# NOTE: C++ `new` operator and some heap allocation functions are not covered.
# NOTE: some string and memory copy functions are not covered.
# NOTE: `memcpy(dst + 1, p, len)` and similar scenarios are not covered.
# NOTE: pattern `{$len=snprintf(_); malloc($len);}` is not covered.
# NOTE: some other ways to create an array are not covered.
# NOTE: refer also to `metavariable-comparison` to catch larger indexes as in
# https://github.com/parsiya/semgrep-hotspots/blob/main/cpp/arrays-out-of-bounds-access.yaml
# NOTE: refer also to `cpp.lang.security.strings.alloc-strlen.alloc-strlen` and
# `cpp.lang.security.strings.missing-nul-cpp-string-memcpy.missing-nul-cpp-string-memcpy`.
message: >-
The software calculates or uses an incorrect maximum or minimum value
that is 1 more, or 1 less, than the correct value.
severity: WARNING
languages:
- c
- cpp
pattern-either:
# array access
- pattern: $BUF[sizeof($BUF)] = ...
- patterns:
- pattern: $BUF[$LEN] = ...
- pattern-either:
- pattern-inside: |
$_ $BUF[$LEN];
...
- pattern-inside: |
$_ $BUF[$LEN] = ...;
...
- patterns:
- pattern: |
*($BUF + $LEN) = ...
- pattern-either:
- pattern-inside: |
$_ $BUF[$LEN];
...
- pattern-inside: |
$_ $BUF[$LEN] = ...;
...
# two-dimentional array access
- patterns:
- pattern: $BUF[$X][$Y] = ...
- pattern-either:
- pattern-inside: |
$_ $BUF[$_][$Y];
...
- pattern-inside: |
$_ $BUF[$X][$_];
...
# - pattern: for (<... $I = $NUM ...>; <... $I <= $LEN ...>; <... $I++ ...>) ...
# - pattern: for (<... $I = $NUM ...>; <... $I <= $LEN ...>; <... ++$I ...>) ...
# suspicious loops
# <... $I = 0 ...> is still not supported by Semgrep as of 2025-11-22
# - pattern: for ($_ $I = $NUM; <... $I <= $LEN ...>; <... $I++ ...>) ...
# - pattern: for ($_ $I = $NUM; <... $I <= $LEN ...>; <... ++$I ...>) ...
# - pattern: while (<... $I <= $LEN ...>) ...
# - pattern: do ... while (<... $I <= $LEN ...>);
# strlen vs. sizeof
- pattern: strlen($SRC) > sizeof($DST)
- pattern: strlen($SRC) <= sizeof($DST)
- pattern: sizeof($DST) < strlen($SRC)
- pattern: sizeof($DST) >= strlen($SRC)
# potential strncat misuse
- patterns:
- pattern: strncat($_, $_, $LEN)
- metavariable-pattern:
metavariable: $LEN
patterns:
- pattern-not: $_ - 1
# out-of-bound indexing: strlen($STR) con be 0 leading to a -1 index
- pattern: $STR[strlen($STR) - 1]
- patterns:
- pattern-inside: |
$LEN = strlen($STR) - 1;
...
- pattern: $STR[$LEN]
- patterns:
- pattern-inside: |
$LEN = strlen($STR);
...
- pattern: $STR[$LEN - 1]
# no space allocated for NUL terminator
- pattern: malloc(strlen($STR))
- patterns:
- pattern-inside: |
$LEN = strlen($STR);
...
- pattern: malloc($LEN)