C++: Model getaddrinfo as flow source

Author: jketema

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -1,6 +1,7 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.FlowSource
 
 private class InetNtoa extends TaintFunction {
   InetNtoa() { hasGlobalName("inet_ntoa") }
@@ -142,3 +143,21 @@ private class Gethostbyaddr extends TaintFunction, ArrayFunction {
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
 }
+
+private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSourceFunction {
+  Getaddrinfo() { hasGlobalName("getaddrinfo") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref([0 .. 2]) and
+    output.isParameterDeref(3)
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam in [0, 1] }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
+
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(3) and
+    description = "Address returned by " + this.getName()
+  }
+}

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -40,3 +40,13 @@ void test_scanf(FILE *stream, int *d, char *buf) {
   scanf("%d %s", d, buf); // $ local_source=40:18 local_source=40:21
   fscanf(stream, "%d %s", d, buf);  // $ remote_source=41:27 remote_source=41:30
 }
+
+struct addrinfo;
+
+int getaddrinfo(const char *hostname, const char *servname,
+                const struct addrinfo *hints, struct addrinfo **res);
+
+void test_inet(char *hostname, char *servname, struct addrinfo *hints) {
+  addrinfo *res;
+  int ret = getaddrinfo(hostname, servname, hints, &res); // $ remote_source
+}