You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-language-guides/advanced-dataflow-scenarios-cpp.rst
+8-1Lines changed: 8 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,6 +62,7 @@ will catch most things such as:
62
62
63
63
.. code-block:: cpp
64
64
:caption: Example 1
65
+
:linenos:
65
66
66
67
struct A {
67
68
const int *p;
@@ -118,6 +119,7 @@ This would match the call to ``write_user_input_to`` in the following example:
118
119
119
120
.. code-block:: cpp
120
121
:caption: Example 2
122
+
:linenos:
121
123
122
124
void write_user_input_to(void*);
123
125
void use_value(int);
@@ -204,6 +206,7 @@ Consider a slightly different sink:
204
206
205
207
.. code-block:: cpp
206
208
:caption: Example 3
209
+
:linenos:
207
210
208
211
void write_user_input_to(void*);
209
212
void use_pointer(int*);
@@ -295,6 +298,7 @@ Consider an alternative scenario where ``U`` contains a single ``int`` data, and
295
298
296
299
.. code-block:: cpp
297
300
:caption: Example 4
301
+
:linenos:
298
302
299
303
void write_user_input_to(void*);
300
304
void use_pointer(int*);
@@ -318,7 +322,9 @@ Consider an alternative scenario where ``U`` contains a single ``int`` data, and
318
322
free(u);
319
323
}
320
324
321
-
Since data is no longer a pointer our ``isAdditionalFlowStep`` doesn't make any sense because it specifies flow to the indirection of the field (and an integer does not have any indirections). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value. However, since we pass the address of ``data`` to ``use_pointer`` the tainted data is what is pointed to by the argument of ``use_pointer`` (since the data pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above:
325
+
Since the ``data`` field is now an ``int`` instead of an ``int*`` the field no longer has any indirections, and so the use of ``asIndirectExpr`` in ``isAdditionalFlowStep`` no longer makes sense (and so the additional step will have no results). So there is no choice about whether to taint the value of the field or its indirection: it has to be the value.
326
+
327
+
However, since we pass the address of ``data`` to ``use_pointer`` on line 12 the tainted value is what is pointed to by the argument of ``use_pointer`` (since the value pointed to by ``&data`` is exactly ``data``). So to handle this case we need a mix of the two situations above:
322
328
1. We need to taint the value of the field as described the :ref:`Using asExpr <using-asExpr>` section.
323
329
2. We need to select the indirection of the argument as described in the :ref:`Using asIndirectExpr <using-asIndirectExpr>` section.
324
330
@@ -373,6 +379,7 @@ To set the stage, consider the following scenario:
0 commit comments