-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathStringsHasSufficientSpaceForTheNullTerminator.ql
66 lines (62 loc) · 2.05 KB
/
StringsHasSufficientSpaceForTheNullTerminator.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
/**
* @id c/cert/strings-has-sufficient-space-for-the-null-terminator
* @name STR31-C: Guarantee that storage for strings has sufficient space for character data and the null terminator
* @description Many library functions in the C standard library assume C strings are null
* terminated and failing to null terminate strings may lead to unpredictable program
* behavior.
* @kind problem
* @precision medium
* @problem.severity error
* @tags external/cert/id/str31-c
* correctness
* security
* external/cert/obligation/rule
*/
import cpp
import codingstandards.c.cert
import semmle.code.cpp.dataflow.new.TaintTracking
import codingstandards.cpp.PossiblyUnsafeStringOperation
/**
* Models a class of function calls that are unsafe.
*/
class PossiblyUnsafeStringFunctionCall extends FunctionCall {
PossiblyUnsafeStringFunctionCall() { getTarget().getName() = ["gets", "getchar"] }
}
/**
* Models a family of expression that produce results that are
* potentially unbounded.
*/
class PossiblyUnboundedExpr extends Expr {
PossiblyUnboundedExpr() {
// argv
exists(Function f |
f.hasName("main") and
this = f.getParameter(1).getAnAccess()
)
or
// getenv
exists(FunctionCall fc |
fc.getTarget().hasName("getenv") and
this = fc
)
}
}
from Expr e
where
not isExcluded(e, Strings1Package::stringsHasSufficientSpaceForTheNullTerminatorQuery()) and
e instanceof PossiblyUnsafeStringOperation
or
e instanceof PossiblyUnsafeStringFunctionCall
or
exists(CharArrayInitializedWithStringLiteral cl |
cl.getContainerLength() <= cl.getStringLiteralLength() and
TaintTracking::localTaint(DataFlow::exprNode(cl), DataFlow::exprNode(e))
)
or
e instanceof PossiblyUnboundedExpr and
exists(FunctionCall fc |
fc.getTarget() instanceof StandardCStringFunction and
TaintTracking::localTaint(DataFlow::exprNode(e), DataFlow::exprNode(fc.getAnArgument()))
)
select e,
"Expression produces or consumes a string that may not have sufficient space for a null-terminator."