import semmle.code.cpp.valuenumbering.GlobalValueNumbering

class PossiblyUnsafeStringOperationSource extends Source {

PossiblyUnsafeStringOperation op;

PossiblyUnsafeStringOperationSource() { this.asExpr() = op.getAnArgument() }

PossiblyUnsafeStringOperation getOp() { result = op }

class CharArraySource extends Source {

CharArrayInitializedWithStringLiteral op;

CharArraySource() {

op.getContainerLength() <= op.getStringLiteralLength() and

this.asExpr() = op

}

abstract class Source extends DataFlow::Node { }

class Sink extends DataFlow::Node {

Sink() {

exists(ExpectsNullTerminatedStringAsArgumentFunctionCall fc |

fc.getAnExpectingExpr() = this.asExpr()

}

module MyFlowConfiguration implements DataFlow::ConfigSig {

predicate isSink(DataFlow::Node sink) {

sink instanceof Sink and

//don't report violations of the same function call

not sink instanceof Source

}

predicate isSource(DataFlow::Node source) { source instanceof Source }

predicate isAdditionalFlowStep(DataFlow::Node innode, DataFlow::Node outnode) {

exists(FunctionCall realloc, ReallocFunction fn |

fn.getACallToThisFunction() = realloc and

realloc.getArgument(0) = innode.asExpr() and

realloc = outnode.asExpr()

}

class ReallocFunction extends AllocationFunction {

ReallocFunction() { exists(this.getReallocPtrArg()) }

predicate isGuarded(Expr guarded, Expr source) {

exists(AssignExpr aexp |

// this must be AFTER the operation causing the non-null termination

aexp.getAPredecessor+() = source and

//this guards anything after it

aexp.getASuccessor+() = guarded and

// no reallocs exist after this because they will be conservatively assumed to make the buffer smaller and remove the likliehood of this properly terminating

not exists(ReallocFunction realloc, FunctionCall fn |

fn = realloc.getACallToThisFunction() and

globalValueNumber(aexp.getLValue().(ArrayExpr).getArrayBase()) =

globalValueNumber(fn.getArgument(0)) and

aexp.getASuccessor+() = fn

)

module MyFlow = TaintTracking::Global<MyFlowConfiguration>;

DataFlow::Node source, DataFlow::Node sink, ExpectsNullTerminatedStringAsArgumentFunctionCall fc,

Expr e

MyFlow::flow(source, sink) and

sink.asExpr() = fc.getAnExpectingExpr() and

not isGuarded(sink.asExpr(), source.asExpr()) and

if source instanceof PossiblyUnsafeStringOperationSource

then e = source.(PossiblyUnsafeStringOperationSource).getOp()

else e = source.asExpr()

| test.c:20:3:20:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:8:20:8:24 | Cod | this expression |

| test.c:21:3:21:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:8:20:8:24 | Cod | this expression |

| test.c:23:3:23:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:14:3:14:9 | call to strncpy | this expression |

| test.c:24:3:24:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:14:3:14:9 | call to strncpy | this expression |

| test.c:25:3:25:8 | call to strlen | String modified by $@ is passed to function expecting a null-terminated string. | test.c:14:3:14:9 | call to strncpy | this expression |

| test.c:34:3:34:9 | call to wprintf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:31:24:31:29 | Cod | this expression |

| test.c:47:3:47:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:42:3:42:10 | call to snprintf | this expression |

| test.c:48:3:48:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:42:3:42:10 | call to snprintf | this expression |

| test.c:56:3:56:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:54:3:54:9 | call to strncat | this expression |

| test.c:57:3:57:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:54:3:54:9 | call to strncat | this expression |

| test.c:63:3:63:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:61:20:61:24 | Cod | this expression |

| test.c:64:3:64:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:61:20:61:24 | Cod | this expression |

| test.c:76:3:76:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:73:20:73:24 | Cod | this expression |

| test.c:77:3:77:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:73:20:73:24 | Cod | this expression |

| test.c:86:3:86:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:84:3:84:9 | call to strncpy | this expression |

| test.c:87:3:87:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:84:3:84:9 | call to strncpy | this expression |

| test.c:95:3:95:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:93:17:93:21 | Cod | this expression |

| test.c:95:3:95:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:94:3:94:9 | call to strncpy | this expression |

| test.c:98:3:98:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:93:17:93:21 | Cod | this expression |

| test.c:98:3:98:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:94:3:94:9 | call to strncpy | this expression |

| test.c:122:3:122:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:117:17:117:21 | Cod | this expression |

| test.c:122:3:122:8 | call to printf | String modified by $@ is passed to function expecting a null-terminated string. | test.c:118:3:118:9 | call to strncpy | this expression |

#include <stdlib.h>

}

void test_fn_reported_in_31_simple() {

char *str;

str = (char *)malloc(3);

char a31[3] = "Cod"; // is NOT null terminated

strncpy(str, a31, 3);

printf(str); // NON_COMPLIANT

size_t cur_msg_size = 1024;

str = realloc(str, (cur_msg_size / 2 + 1) * sizeof(char));

printf(str); // NON_COMPLIANT

}

void test_fn_reported_in_31_simple_safe() {

char *str;

str = (char *)malloc(3);

char a31[3] = "Cod"; // is NOT null terminated

strncpy(str, a31, 3);

size_t cur_msg_size = 1024;

size_t temp_size = cur_msg_size / 2 + 1;

str = realloc(str, temp_size * sizeof(char));

str[temp_size - 1] = L'\0'; // Properly null-terminate str

printf(str); // COMPLIANT

}

void test_fn_reported_in_31_simple_relloc() {

char *str;

size_t cur_msg_size = 1024;

str = (char *)malloc(cur_msg_size);

char a31[3] = "Cod"; // is NOT null terminated

strncpy(str, a31, 3);

str[cur_msg_size - 1] = L'\0'; // Properly null-terminate str

size_t temp_size = cur_msg_size / 2 + 1;

str = realloc(str, temp_size * sizeof(char));

printf(str); // NON_COMPLIANT

}

- `STR32-C` - `NonNullTerminatedToFunctionThatExpectsAString.ql`:

- Fixes #31. Realloc and null termination were not modelled previously.

// consider `strcpy` since it is a banned function.

// We cannot know if the string is already null terminated or not and thus

// the conservative assumption is that it is not

// The behavior of strncpy(dest, src, n) is that if sizeof(src) < n

// then it will fill remainder of dst with ‘\0’ characters

// ie it is only in this case that it is guaranteed to null terminate

// Otherwise, dst is not terminated

// If `src` is already null-terminated then it will be null

// terminated if n >= sizeof(src). but we do not assume on this.

// Note that a buffer overflow is possible if

// n <= sizeof(src) might not null terminate

(bwc.getExplicitLimit() / bwc.getCharSize()) <= getBufferSize(src, _)

or

// sizeof(dest) < n might not null terminate