C++: Only the first indirection of the argument should be the remote flow sink.

MathiasVP · MathiasVP · commit ff30308a2b41 · 2023-11-06T13:57:14.000Z
diff --git a/cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll b/cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll
@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
+    input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem`
`58`	`58`	`override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }`
`59`	`59`
`60`	`60`	`override predicate hasRemoteFlowSink(FunctionInput input, string description) {`
`61`		`- input.isParameterDeref(1) and description = "buffer sent by " + this.getName()`
	`61`	`+ input.isParameterDeref(1, 1) and description = "buffer sent by " + this.getName()`
`62`	`62`	`}`
`63`	`63`
`64`	`64`	`override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }`