Skip to content

Commit d084931

Browse files
alexetalexet
committed
CPP: Fix use after free FPs by elimnatiing freeing nodes rather than freeing expressions.
1 parent 9de6230 commit d084931

File tree

2 files changed

+2
-4
lines changed

2 files changed

+2
-4
lines changed

cpp/ql/src/Critical/UseAfterFree.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ private predicate externalCallNeverDereferences(FormattingFunctionCall call, int
3131

3232
predicate isUse0(DataFlow::Node n, Expr e) {
3333
e = n.asExpr() and
34-
not isFree(_, e, _) and
34+
not isFree(n, _, _) and
3535
(
3636
e = any(PointerDereferenceExpr pde).getOperand()
3737
or
@@ -43,7 +43,7 @@ predicate isUse0(DataFlow::Node n, Expr e) {
4343
or
4444
// Assume any function without a body will dereference the pointer
4545
exists(int i, Call call, Function f |
46-
n.asExpr() = call.getArgument(i) and
46+
e = call.getArgument(i) and
4747
f = call.getTarget() and
4848
not f.hasEntryPoint() and
4949
// Exclude known functions we know won't dereference the pointer.

cpp/ql/test/query-tests/Critical/MemoryFreed/UseAfterFree.expected

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,6 @@ edges
1313
| test_free.cpp:239:14:239:15 | * ... | test_free.cpp:241:9:241:10 | * ... |
1414
| test_free.cpp:245:10:245:11 | * ... | test_free.cpp:246:9:246:10 | * ... |
1515
nodes
16-
| test.cpp:205:7:205:11 | ... = ... | semmle.label | ... = ... |
1716
| test_free.cpp:11:10:11:10 | a | semmle.label | a |
1817
| test_free.cpp:12:5:12:5 | a | semmle.label | a |
1918
| test_free.cpp:13:5:13:6 | * ... | semmle.label | * ... |
@@ -41,7 +40,6 @@ nodes
4140
| test_free.cpp:246:9:246:10 | * ... | semmle.label | * ... |
4241
subpaths
4342
#select
44-
| test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | test.cpp:205:7:205:11 | ... = ... | Memory may have been previously freed by $@. | test.cpp:205:2:205:5 | call to free | call to free |
4543
| test_free.cpp:12:5:12:5 | a | test_free.cpp:11:10:11:10 | a | test_free.cpp:12:5:12:5 | a | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
4644
| test_free.cpp:13:5:13:6 | * ... | test_free.cpp:11:10:11:10 | a | test_free.cpp:13:5:13:6 | * ... | Memory may have been previously freed by $@. | test_free.cpp:11:5:11:8 | call to free | call to free |
4745
| test_free.cpp:45:5:45:5 | a | test_free.cpp:42:27:42:27 | a | test_free.cpp:45:5:45:5 | a | Memory may have been previously freed by $@. | test_free.cpp:42:22:42:25 | call to free | call to free |

0 commit comments

Comments
 (0)