Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8a9ee8f

Browse files
jbjjbj
authored
Merge pull request #2300 from geoffw0/names
CPP: Rename/relocate some queries and libraries
2 parents 429c307 + db26b85 commit 8a9ee8f

27 files changed

Lines changed: 41 additions & 115 deletions

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBound.qll

Lines changed: 0 additions & 33 deletions
This file was deleted.

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayBad.cpp renamed to cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound-bad.cpp

File renamed without changes.

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayGood.cpp renamed to cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound-good.cpp

File renamed without changes.

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.qhelp renamed to cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qhelp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,10 +31,10 @@ it to host byte order. The data is then used as an index in an array access expr
3131
there is no validation that the data returned by <code>ntohl</code> is within the bounds of the array,
3232
which could lead to reading outside the bounds of the buffer.
3333
</p>
34-
<sample src="NtohlArrayBad.cpp" />
34+
<sample src="NtohlArrayNoBound-bad.cpp" />
3535
<p>In the corrected example, the returned data is validated against the known size of the buffer,
3636
before being used as an array index.</p>
37-
<sample src="NtohlArrayGood.cpp" />
37+
<sample src="NtohlArrayNoBound-good.cpp" />
3838
</example>
3939

4040
<references>

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/NtohlArrayNoBoundOpenSource.ql renamed to cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql

File renamed without changes.

cpp/ql/src/Likely Bugs/Memory Management/Buffer Overflow/BufferAccess.qll renamed to cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.qll

Lines changed: 31 additions & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -1,55 +1,7 @@
11
import cpp
2-
import semmle.code.cpp.dataflow.TaintTracking
3-
private import semmle.code.cpp.dataflow.RecursionPrevention
4-
5-
/**
6-
* A buffer which includes an allocation size.
7-
*/
8-
abstract class BufferWithSize extends DataFlow::Node {
9-
abstract Expr getSizeExpr();
10-
11-
BufferAccess getAnAccess() {
12-
any(BufferWithSizeConfig bsc).hasFlow(this, DataFlow::exprNode(result.getPointer()))
13-
}
14-
}
15-
16-
/** An allocation function. */
17-
abstract class Alloc extends Function { }
18-
19-
/**
20-
* Allocation functions identified by the QL for C/C++ standard library.
21-
*/
22-
class DefaultAlloc extends Alloc {
23-
DefaultAlloc() { allocationFunction(this) }
24-
}
25-
26-
/** A buffer created through a call to an allocation function. */
27-
class AllocBuffer extends BufferWithSize {
28-
FunctionCall call;
29-
30-
AllocBuffer() {
31-
asExpr() = call and
32-
call.getTarget() instanceof Alloc
33-
}
34-
35-
override Expr getSizeExpr() { result = call.getArgument(0) }
36-
}
37-
38-
/**
39-
* Find accesses of buffers for which we have a size expression.
40-
*/
41-
private class BufferWithSizeConfig extends TaintTracking::Configuration {
42-
BufferWithSizeConfig() { this = "BufferWithSize" }
43-
44-
override predicate isSource(DataFlow::Node n) { n = any(BufferWithSize b) }
45-
46-
override predicate isSink(DataFlow::Node n) { n.asExpr() = any(BufferAccess ae).getPointer() }
47-
48-
override predicate isSanitizer(DataFlow::Node s) {
49-
s = any(BufferWithSize b) and
50-
s.asExpr().getControlFlowScope() instanceof Alloc
51-
}
52-
}
2+
import semmle.code.cpp.dataflow.DataFlow
3+
import semmle.code.cpp.controlflow.Guards
4+
import semmle.code.cpp.valuenumbering.GlobalValueNumbering
535

546
/**
557
* An access (read or write) to a buffer, provided as a pair of
@@ -172,3 +124,31 @@ class MallocSizeExpr extends BufferAccess, FunctionCall {
172124

173125
override Expr getAccessedLength() { result = getArgument(1) }
174126
}
127+
128+
class NetworkFunctionCall extends FunctionCall {
129+
NetworkFunctionCall() {
130+
getTarget().hasName("ntohd") or
131+
getTarget().hasName("ntohf") or
132+
getTarget().hasName("ntohl") or
133+
getTarget().hasName("ntohll") or
134+
getTarget().hasName("ntohs")
135+
}
136+
}
137+
138+
class NetworkToBufferSizeConfiguration extends DataFlow::Configuration {
139+
NetworkToBufferSizeConfiguration() { this = "NetworkToBufferSizeConfiguration" }
140+
141+
override predicate isSource(DataFlow::Node node) { node.asExpr() instanceof NetworkFunctionCall }
142+
143+
override predicate isSink(DataFlow::Node node) {
144+
node.asExpr() = any(BufferAccess ba).getAccessedLength()
145+
}
146+
147+
override predicate isBarrier(DataFlow::Node node) {
148+
exists(GuardCondition gc, GVN gvn |
149+
gc.getAChild*() = gvn.getAnExpr() and
150+
globalValueNumber(node.asExpr()) = gvn and
151+
gc.controls(node.asExpr().getBasicBlock(), _)
152+
)
153+
}
154+
}

cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.qhelp renamed to cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.qhelp

File renamed without changes.

cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.ql renamed to cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql

File renamed without changes.

cpp/ql/src/Likely Bugs/Protocols/boostorg/UseOfDeprecatedHardcodedProtocol.qhelp renamed to cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qhelp

File renamed without changes.

cpp/ql/src/Likely Bugs/Protocols/boostorg/UseOfDeprecatedHardcodedProtocol.ql renamed to cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql

File renamed without changes.

0 commit comments

Comments
 (0)