|
1 | 1 | /**
|
2 | 2 | * @name Potentially unsafe call to strncat
|
3 |
| - * @description Calling 'strncat' with the size of the destination buffer |
4 |
| - * as the third argument may result in a buffer overflow. |
| 3 | + * @description Calling `strncat` with the size of the destination buffer as the third argument may result in a buffer overflow. |
| 4 | + * Similarly, calling `strncat` with `sizeof (dest) - strlen (dest)` as the third argument may result in a buffer overflow. |
5 | 5 | * @kind problem
|
6 | 6 | * @problem.severity warning
|
7 | 7 | * @precision medium
|
8 | 8 | * @id cpp/unsafe-strncat
|
9 | 9 | * @tags reliability
|
10 | 10 | * correctness
|
11 | 11 | * security
|
| 12 | + * external/cwe/cwe-788 |
12 | 13 | * external/cwe/cwe-676
|
13 | 14 | * external/cwe/cwe-119
|
14 | 15 | * external/cwe/cwe-251
|
15 | 16 | */
|
16 | 17 |
|
17 | 18 | import cpp
|
18 | 19 | import Buffer
|
| 20 | +import semmle.code.cpp.models.implementations.Strcat |
| 21 | +import semmle.code.cpp.valuenumbering.GlobalValueNumbering |
19 | 22 |
|
20 |
| -from FunctionCall fc, VariableAccess va1, VariableAccess va2 |
21 |
| -where |
22 |
| - fc.getTarget().(Function).hasName("strncat") and |
23 |
| - va1 = fc.getArgument(0) and |
24 |
| - va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and |
25 |
| - va1.getTarget() = va2.getTarget() |
| 23 | +/** |
| 24 | + * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and |
| 25 | + * destination arguments, respectively. |
| 26 | + */ |
| 27 | +predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) { |
| 28 | + exists(StrcatFunction strcat | |
| 29 | + strcat = call.getTarget() and |
| 30 | + sizeArg = call.getArgument(strcat.getParamSize()) and |
| 31 | + destArg = call.getArgument(strcat.getParamDest()) |
| 32 | + ) |
| 33 | +} |
| 34 | + |
| 35 | +/** |
| 36 | + * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination |
| 37 | + * argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`. |
| 38 | + */ |
| 39 | +predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) { |
| 40 | + interestringCallWithArgs(fc, sizeArg, destArg) and |
| 41 | + exists(StrcatFunction strncat, VariableAccess va | |
| 42 | + fc.getTarget() = strncat and |
| 43 | + destArg = fc.getArgument(strncat.getParamDest()) and |
| 44 | + va = sizeArg.(BufferSizeExpr).getArg() and |
| 45 | + destArg.getTarget() = va.getTarget() |
| 46 | + ) |
| 47 | +} |
| 48 | + |
| 49 | +/** |
| 50 | + * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination |
| 51 | + * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`. |
| 52 | + */ |
| 53 | +predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) { |
| 54 | + interestringCallWithArgs(fc, sizeArg, destArg) and |
| 55 | + exists(SubExpr sub, int n | |
| 56 | + // The destination buffer is an array of size n |
| 57 | + destArg.getUnspecifiedType().(ArrayType).getSize() = n and |
| 58 | + // The size argument is equivalent to a subtraction |
| 59 | + globalValueNumber(sizeArg).getAnExpr() = sub and |
| 60 | + // ... where the left side of the subtraction is the constant n |
| 61 | + globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and |
| 62 | + // ... and the right side of the subtraction is a call to `strlen` where the argument is the |
| 63 | + // destination buffer. |
| 64 | + globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() = |
| 65 | + globalValueNumber(destArg).getAnExpr() |
| 66 | + ) |
| 67 | +} |
| 68 | + |
| 69 | +from FunctionCall fc, Expr sizeArg, Expr destArg |
| 70 | +where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg) |
26 | 71 | select fc, "Potentially unsafe call to strncat."
|
0 commit comments