Startseite Erkunden Hilfe
Registrieren Anmelden
FangSoftSoft
/
clang
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

[analyzer] Don't flag strcpy of string literals into sufficiently large buffers.

In the security package, we have a simple syntactic check that warns about
strcpy() being insecure, due to potential buffer overflows.

Suppress that check's warning in the trivial situation when the source is an
immediate null-terminated string literal and the target is an immediate
sufficiently large buffer.

Patch by András Leitereg!

Differential Revision: https://reviews.llvm.org/D41384


git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@322410 91177308-0d34-0410-b5e6-96231b3b80d8
Artem Dergachev vor 7 Jahren
Ursprung
3fb45fcca0
Commit
bdecb5f0d4
2 geänderte Dateien mit 21 neuen und 0 gelöschten Zeilen
Gesamtansicht Diff-Statistik anzeigen
  1. 11 0
      lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
  2. 10 0
      test/Analysis/security-syntax-checks.m

+ 11 - 0
lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
Datei anzeigen 

@@ -510,6 +510,17 @@ void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
 
   if (!checkCall_strCommon(CE, FD))
 
   if (!checkCall_strCommon(CE, FD))
 
     return;
 
     return;
 
 
 
+  const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
 
+             *Source = CE->getArg(1)->IgnoreImpCasts();
 
+  if (const auto *DeclRef = dyn_cast<DeclRefExpr>(Target))
 
+    if (const auto *Array = dyn_cast<ConstantArrayType>(DeclRef->getType())) {
 
+      uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;
 
+      if (const auto *String = dyn_cast<StringLiteral>(Source)) {
 
+        if (ArraySize >= String->getLength() + 1)
 
+          return;
 
+      }
 
+    }
 
+
 
   // Issue a warning.
 
   // Issue a warning.
 
   PathDiagnosticLocation CELoc =
 
   PathDiagnosticLocation CELoc =
 
     PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
 
     PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);

+ 10 - 0
test/Analysis/security-syntax-checks.m
Datei anzeigen 

@@ -146,6 +146,16 @@ void test_strcpy() {
 
   strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
 
   strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
 
 }
 
 }
 
 
 
+void test_strcpy_2() {
 
+  char x[4];
 
+  strcpy(x, "abcd"); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
 
+}
 
+
 
+void test_strcpy_safe() {
 
+  char x[5];
 
+  strcpy(x, "abcd");
 
+}
 
+
 
 //===----------------------------------------------------------------------===
 
 //===----------------------------------------------------------------------===
 
 // strcat()
 
 // strcat()
 
 //===----------------------------------------------------------------------===
 
 //===----------------------------------------------------------------------===