-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathUnsafeUseOfStrcat.ql
More file actions
49 lines (43 loc) · 1.29 KB
/
UnsafeUseOfStrcat.ql
File metadata and controls
49 lines (43 loc) · 1.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
/**
* @name Potentially unsafe use of strcat
* @description Using 'strcat' without checking the size of the source string
* may result in a buffer overflow
* @kind problem
* @problem.severity warning
* @security-severity 9.8
* @precision medium
* @id cpp/unsafe-strcat
* @tags reliability
* correctness
* security
* external/cwe/cwe-676
* external/cwe/cwe-120
* external/cwe/cwe-251
*/
import cpp
import Buffer
/**
* An access to a variable that is initialized by a constant
* expression, and is never used as an lvalue anywhere else.
*/
predicate isEffectivelyConstAccess(VariableAccess a) {
exists(Variable v |
a.getTarget() = v and
v.getInitializer().getExpr().isConstant() and
not v.getAnAccess().isUsedAsLValue()
)
}
class StrcatSource extends VariableAccess {
FunctionCall strcat;
StrcatSource() {
strcat.getTarget().hasName("strcat") and
this = strcat.getArgument(1)
}
FunctionCall getStrcatCall() { result = strcat }
}
from StrcatSource src
where
not src.getType() instanceof ArrayType and
not exists(BufferSizeExpr bse | bse.getArg().(VariableAccess).getTarget() = src.getTarget()) and
not isEffectivelyConstAccess(src)
select src.getStrcatCall(), "Always check the size of the source buffer when using strcat."