C++: Only the second indirection of the argument should be the remote flow source.

MathiasVP · MathiasVP · commit 392b2af9238f · 2023-11-02T16:51:24.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll
@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(3) and
+    output.isParameterDeref(3, 2) and
     description = "address returned by " + this.getName()
   }
 }
diff --git a/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected b/cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.expected
@@ -1,4 +1,2 @@
 testFailures
-| sources-and-sinks.cpp:51:52:51:55 | getaddrinfo output argument | Unexpected result: remote_source=51:52 |
-| sources-and-sinks.cpp:51:59:51:76 | // $ remote_source | Missing result:remote_source= |
 failures

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSource`
`157`	`157`	`override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }`
`158`	`158`
`159`	`159`	`override predicate hasRemoteFlowSource(FunctionOutput output, string description) {`
`160`		`- output.isParameterDeref(3) and`
	`160`	`+ output.isParameterDeref(3, 2) and`
`161`	`161`	`description = "address returned by " + this.getName()`
`162`	`162`	`}`
`163`	`163`	`}`