codeql/cpp/ql/src/Critical/OverflowCalculated.ql at 47486a4d8d67c2c9dbe05278ac6e146043a7ba68 · forks-felickz/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
/**
 * @name Buffer overflow from insufficient space or incorrect size calculation
 * @description A buffer allocated using 'malloc' may not have enough space for a string being copied into it, or wide character functions may receive incorrect size parameters causing buffer overrun. Make sure that buffers contain enough room for strings (including zero terminator) and that size parameters are correctly calculated.
 * @kind problem
 * @precision medium
 * @id cpp/overflow-calculated
 * @problem.severity warning
 * @security-severity 9.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
 *       external/cwe/cwe-120
 */

import cpp
import semmle.code.cpp.ir.dataflow.DataFlow
import semmle.code.cpp.models.interfaces.Allocation

predicate spaceProblem(FunctionCall append, string msg) {
  exists(
    AllocationExpr malloc, StrlenCall strlen, AddExpr add, FunctionCall insert, Variable buffer
  |
    add.getAChild() = strlen and
    exists(add.getAChild().getValue()) and
    DataFlow::localExprFlow(add, malloc.getSizeExpr()) and
    buffer.getAnAccess() = strlen.getStringExpr() and
    (
      insert.getTarget().hasGlobalOrStdName("strcpy") or
      insert.getTarget().hasGlobalOrStdName("strncpy")
    ) and
    (
      append.getTarget().hasGlobalOrStdName("strcat") or
      append.getTarget().hasGlobalOrStdName("strncat")
    ) and
    malloc.getASuccessor+() = insert and
    insert.getArgument(1) = buffer.getAnAccess() and
    insert.getASuccessor+() = append and
    msg =
      "This buffer only contains enough room for '" + buffer.getName() + "' (copied on line " +
        insert.getLocation().getStartLine().toString() + ")"
  )
}

predicate wideCharSizeofProblem(FunctionCall call, string msg) {
  exists(
    Variable buffer, SizeofExprOperator sizeofOp, ArrayType arrayType
  |
    // Function call is to wcsftime
    call.getTarget().hasGlobalOrStdName("wcsftime") and
    // Second argument (count parameter) is a sizeof operation
    call.getArgument(1) = sizeofOp and
    // The sizeof is applied to a buffer variable
    sizeofOp.getExprOperand() = buffer.getAnAccess() and
    // The buffer is an array of wchar_t
    arrayType = buffer.getType() and
    arrayType.getBaseType().hasName("wchar_t") and
    msg =
      "Using sizeof(" + buffer.getName() + ") passes byte count instead of wchar_t element count to wcsftime. " +
      "Use sizeof(" + buffer.getName() + ")/sizeof(wchar_t) or array length instead."
  )
}

from Expr problem, string msg
where spaceProblem(problem, msg) or wideCharSizeofProblem(problem, msg)
select problem, msg