C++: Additional test cases.

geoffw0 · geoffw0 · commit febbbc442328 · 2020-04-09T15:03:35.000+01:00
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/TaintedAllocationSize.expected
@@ -69,6 +69,62 @@ edges
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:14 | size |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
 | test.cpp:138:19:138:32 | (const char *)... | test.cpp:142:11:142:28 | ... * ... |
+| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:28 | (unsigned long)... |
+| test.cpp:201:9:201:12 | call to atoi | test.cpp:201:9:201:42 | Store |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:9:201:42 | Store | test.cpp:231:9:231:24 | call to get_tainted_size |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:28 | (unsigned long)... |
+| test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:42 | Store |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:12 | call to atoi |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:28 | (unsigned long)... |
+| test.cpp:201:14:201:27 | (const char *)... | test.cpp:201:9:201:42 | Store |
+| test.cpp:206:13:206:16 | call to atoi | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:13:206:16 | call to atoi | test.cpp:206:13:206:32 | (unsigned long)... |
+| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:32 | (unsigned long)... |
+| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:16 | call to atoi |
+| test.cpp:206:18:206:31 | (const char *)... | test.cpp:206:13:206:32 | (unsigned long)... |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:214:23:214:23 | s | test.cpp:215:21:215:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:220:21:220:21 | s | test.cpp:221:21:221:21 | s |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:227:19:227:38 | (unsigned long)... |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:19:227:22 | call to atoi | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:38 | (unsigned long)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:29 | call to getenv | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:22 | call to atoi |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:227:19:227:38 | (unsigned long)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:229:9:229:18 | local_size |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:235:11:235:20 | (size_t)... |
+| test.cpp:227:24:227:37 | (const char *)... | test.cpp:237:10:237:19 | (size_t)... |
+| test.cpp:235:11:235:20 | (size_t)... | test.cpp:214:23:214:23 | s |
+| test.cpp:237:10:237:19 | (size_t)... | test.cpp:220:21:220:21 | s |
 nodes
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
 | test.cpp:39:21:39:24 | argv | semmle.label | argv |
@@ -134,6 +190,46 @@ nodes
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
 | test.cpp:142:11:142:28 | ... * ... | semmle.label | ... * ... |
+| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
+| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
+| test.cpp:201:9:201:12 | call to atoi | semmle.label | call to atoi |
+| test.cpp:201:9:201:28 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:201:9:201:28 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:201:9:201:42 | Store | semmle.label | Store |
+| test.cpp:201:14:201:19 | call to getenv | semmle.label | call to getenv |
+| test.cpp:201:14:201:27 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
+| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
+| test.cpp:206:13:206:16 | call to atoi | semmle.label | call to atoi |
+| test.cpp:206:13:206:32 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:206:13:206:32 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:206:18:206:23 | call to getenv | semmle.label | call to getenv |
+| test.cpp:206:18:206:31 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:214:23:214:23 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:215:21:215:21 | s | semmle.label | s |
+| test.cpp:220:21:220:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:221:21:221:21 | s | semmle.label | s |
+| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
+| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
+| test.cpp:227:19:227:22 | call to atoi | semmle.label | call to atoi |
+| test.cpp:227:19:227:38 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:227:19:227:38 | (unsigned long)... | semmle.label | (unsigned long)... |
+| test.cpp:227:24:227:29 | call to getenv | semmle.label | call to getenv |
+| test.cpp:227:24:227:37 | (const char *)... | semmle.label | (const char *)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:229:9:229:18 | local_size | semmle.label | local_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:231:9:231:24 | call to get_tainted_size | semmle.label | call to get_tainted_size |
+| test.cpp:235:11:235:20 | (size_t)... | semmle.label | (size_t)... |
+| test.cpp:237:10:237:19 | (size_t)... | semmle.label | (size_t)... |
 #select
 | test.cpp:42:31:42:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:42:38:42:44 | tainted | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
 | test.cpp:43:31:43:36 | call to malloc | test.cpp:39:21:39:24 | argv | test.cpp:43:38:43:63 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:39:21:39:24 | argv | user input (argv) |
@@ -149,3 +245,10 @@ nodes
 | test.cpp:134:10:134:27 | ... * ... | test.cpp:132:19:132:24 | call to getenv | test.cpp:134:10:134:13 | size | This allocation size is derived from $@ and might overflow | test.cpp:132:19:132:24 | call to getenv | user input (getenv) |
 | test.cpp:142:4:142:9 | call to malloc | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:28 | ... * ... | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
 | test.cpp:142:11:142:28 | ... * ... | test.cpp:138:19:138:24 | call to getenv | test.cpp:142:11:142:14 | size | This allocation size is derived from $@ and might overflow | test.cpp:138:19:138:24 | call to getenv | user input (getenv) |
+| test.cpp:201:9:201:42 | ... * ... | test.cpp:201:14:201:19 | call to getenv | test.cpp:201:9:201:12 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
+| test.cpp:206:13:206:46 | ... * ... | test.cpp:206:18:206:23 | call to getenv | test.cpp:206:13:206:16 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:206:18:206:23 | call to getenv | user input (getenv) |
+| test.cpp:215:14:215:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:215:21:215:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:221:14:221:19 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:221:21:221:21 | s | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:227:19:227:52 | ... * ... | test.cpp:227:24:227:29 | call to getenv | test.cpp:227:19:227:22 | call to atoi | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:229:2:229:7 | call to malloc | test.cpp:227:24:227:29 | call to getenv | test.cpp:229:9:229:18 | local_size | This allocation size is derived from $@ and might overflow | test.cpp:227:24:227:29 | call to getenv | user input (getenv) |
+| test.cpp:231:2:231:7 | call to malloc | test.cpp:201:14:201:19 | call to getenv | test.cpp:231:9:231:24 | call to get_tainted_size | This allocation size is derived from $@ and might overflow | test.cpp:201:14:201:19 | call to getenv | user input (getenv) |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/TaintedAllocationSize/test.cpp
@@ -5,8 +5,8 @@ typedef struct {} FILE;
 
 void *malloc(size_t size);
 void *realloc(void *ptr, size_t size);
+void free(void *ptr);
 int atoi(const char *nptr);
-
 struct MyStruct
 {
 	char data[256];
@@ -190,3 +190,49 @@ void more_bounded_tests() {
 		}
 	}
 }
+
+size_t get_untainted_size()
+{
+	return 10 * sizeof(int);
+}
+
+size_t get_tainted_size()
+{
+	return atoi(getenv("USER")) * sizeof(int);
+}
+
+size_t get_bounded_size()
+{
+	size_t s = atoi(getenv("USER")) * sizeof(int);
+
+	if (s < 0) { s = 0; }
+	if (s > 100) { s = 100; }
+
+	return s;
+}
+
+void *my_alloc(size_t s) {
+	void *ptr = malloc(s); // [UNHELPFUL RESULT]
+
+	return ptr;
+}
+
+void my_func(size_t s) {
+	void *ptr = malloc(s); // BAD
+
+	free(ptr);
+}
+
+void more_cases() {
+	int local_size = atoi(getenv("USER")) * sizeof(int);
+
+	malloc(local_size); // BAD
+	malloc(get_untainted_size()); // GOOD
+	malloc(get_tainted_size()); // BAD
+	malloc(get_bounded_size()); // GOOD
+
+	my_alloc(100); // GOOD
+	my_alloc(local_size); // BAD [NOT DETECTED IN CORRECT LOCATION]
+	my_func(100); // GOOD
+	my_func(local_size); // GOOD
+}
