Add files via upload

Author: ihsinme

cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.c

@@ -0,0 +1,13 @@
+...
+  buf = malloc(intSize);
+...
+  free(buf); 
+  buf = NULL; // GOOD
+...
+
+...
+  buf = malloc(intSize);
+...
+  free(buf); 
+  if(buf) free(buf); // BAD: the cleanup function does not zero out the pointer
+...

cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.qhelp

@@ -0,0 +1,26 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>Double freeing of a previously allocated resource can lead to various vulnerabilities in the program. Requires the attention of developers.</p>
+
+</overview>
+<recommendation>
+<p>We recommend that you exclude situations of possible double release.</p>
+
+</recommendation>
+<example>
+<p>The following example demonstrates an erroneous and corrected use of freeing a pointer.</p>
+<sample src="DoubleFree.c" />
+
+</example>
+<references>
+
+<li>
+  CERT C Coding Standard:
+  <a href="https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory">MEM30-C. Do not access freed memory</a>.
+</li>
+
+</references>
+</qhelp>

cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql

@@ -0,0 +1,51 @@
+/**
+ * @name Errors When Double Free
+ * @description Double freeing of a previously allocated resource can lead to various vulnerabilities in the program
+ *              and requires the attention of the developer.
+ * @kind problem
+ * @id cpp/errors-when-double-free
+ * @problem.severity warning
+ * @precision medium
+ * @tags security
+ *       external/cwe/cwe-415
+ */
+
+import cpp
+
+/**
+ * The function allows `getASuccessor` to be called recursively.
+ * This provides a stop in situations of possible influence on the pointer.
+ */
+ControlFlowNode recursASuccessor(FunctionCall fc, LocalScopeVariable v) {
+  result = fc
+  or
+  exists(ControlFlowNode mid |
+    mid = recursASuccessor(fc, v) and
+    result = mid.getASuccessor() and
+    not result = v.getAnAssignedValue() and
+    not result.(AddressOfExpr).getOperand() = v.getAnAccess() and
+    not (
+      not result instanceof DeallocationExpr and
+      result.(FunctionCall).getAnArgument().(VariableAccess).getTarget() = v
+    ) and
+    (
+      fc.getTarget().hasGlobalOrStdName("realloc") and
+      (
+        not fc.getParent*() instanceof IfStmt and
+        not result instanceof IfStmt
+      )
+      or
+      not fc.getTarget().hasGlobalOrStdName("realloc")
+    )
+  )
+}
+
+from FunctionCall fc
+where
+  exists(FunctionCall fc2, LocalScopeVariable v |
+    freeCall(fc, v.getAnAccess()) and
+    freeCall(fc2, v.getAnAccess()) and
+    fc != fc2 and
+    recursASuccessor(fc, v) = fc2
+  )
+select fc.getArgument(0), "This pointer may be cleared again later."