Skip to content

Commit 72daf2e

Browse files
MathiasVPMathiasVP
committed
C++: Make the tests more realistic by actually using the local variable for something. Otherwise it looks like a zero-initialization of a buffer, which the query now tries to exclude.
1 parent faadcd9 commit 72daf2e

File tree

2 files changed

+63
-36
lines changed

2 files changed

+63
-36
lines changed

cpp/ql/test/query-tests/Security/CWE/CWE-014/MemsetMayBeDeleted.expected

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
1-
| test.cpp:44:5:44:10 | call to memset | Call to memset may be deleted by the compiler. |
2-
| test.cpp:72:5:72:10 | call to memset | Call to memset may be deleted by the compiler. |
3-
| test.cpp:192:2:192:7 | call to memset | Call to memset may be deleted by the compiler. |
1+
| test.cpp:48:5:48:10 | call to memset | Call to memset may be deleted by the compiler. |
2+
| test.cpp:79:5:79:10 | call to memset | Call to memset may be deleted by the compiler. |
3+
| test.cpp:208:2:208:7 | call to memset | Call to memset may be deleted by the compiler. |

cpp/ql/test/query-tests/Security/CWE/CWE-014/test.cpp

Lines changed: 60 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ extern "C" {
1111
void free(void *ptr);
1212
extern void use_pw(char *pw);
1313
int printf(const char* format, ...);
14+
char* gets(char * str);
1415
}
1516

1617
#define PW_SIZE 32
@@ -25,30 +26,34 @@ struct mem {
2526
// x86-64 clang 9.0.0: not deleted
2627
// x64 msvc v19.22: not deleted
2728
void func(char buff[128], unsigned long long sz) {
28-
memset(buff, 0, PW_SIZE); // GOOD
29+
gets(buff);
30+
memset(buff, 0, PW_SIZE); // GOOD
2931
}
3032

3133
// x86-64 gcc 9.2: not deleted
3234
// x86-64 clang 9.0.0: not deleted
3335
// x64 msvc v19.22: not deleted
34-
char *func2(char buff[128], unsigned long long sz) {
35-
memset(buff, 0, PW_SIZE); // GOOD
36-
return buff;
36+
char *func2(char buff[128], unsigned long long sz) {
37+
gets(buff);
38+
memset(buff, 0, PW_SIZE); // GOOD
39+
return buff;
3740
}
3841

3942
// x86-64 gcc 9.2: deleted
4043
// x86-64 clang 9.0.0: deleted
4144
// x64 msvc v19.22: deleted
4245
void func3(unsigned long long sz) {
43-
char buff[128];
46+
char buff[128];
47+
gets(buff);
4448
memset(buff, 0, PW_SIZE); // BAD
4549
}
4650

4751
// x86-64 gcc 9.2: deleted
4852
// x86-64 clang 9.0.0: deleted
4953
// x64 msvc v19.22: deleted
5054
void func4(unsigned long long sz) {
51-
char buff[128];
55+
char buff[128];
56+
gets(buff);
5257
memset(buff, 0, PW_SIZE); // BAD [NOT DETECTED]
5358
strcpy(buff, "Hello");
5459
}
@@ -57,7 +62,8 @@ void func4(unsigned long long sz) {
5762
// x86-64 clang 9.0.0: deleted
5863
// x64 msvc v19.22: deleted
5964
void func5(unsigned long long sz) {
60-
char buff[128];
65+
char buff[128];
66+
gets(buff);
6167
memset(buff, 0, PW_SIZE); // BAD [NOT DETECTED]
6268
if (sz > 5) {
6369
strcpy(buff, "Hello");
@@ -68,15 +74,17 @@ void func5(unsigned long long sz) {
6874
// x86-64 clang 9.0.0: deleted
6975
// x64 msvc v19.22: deleted
7076
void func6(unsigned long long sz) {
71-
struct mem m;
77+
struct mem m;
78+
gets(m.b);
7279
memset(&m, 0, PW_SIZE); // BAD
7380
}
7481

7582
// x86-64 gcc 9.2: deleted
7683
// x86-64 clang 9.0.0: deleted
7784
// x64 msvc v19.22: deleted
7885
void func7(unsigned long long sz) {
79-
struct mem m;
86+
struct mem m;
87+
gets(m.b);
8088
memset(&m, 0, PW_SIZE); // BAD [NOT DETECTED]
8189
m.a = 15;
8290
}
@@ -86,6 +94,7 @@ void func7(unsigned long long sz) {
8694
// x64 msvc v19.22: not deleted
8795
void func8(unsigned long long sz) {
8896
struct mem *m = (struct mem *)malloc(sizeof(struct mem));
97+
gets(m->b);
8998
memset(m, 0, PW_SIZE); // BAD [NOT DETECTED]
9099
}
91100

@@ -94,6 +103,7 @@ void func8(unsigned long long sz) {
94103
// x64 msvc v19.22: not deleted
95104
void func9(unsigned long long sz) {
96105
struct mem *m = (struct mem *)malloc(sizeof(struct mem));
106+
gets(m->b);
97107
memset(m, 0, PW_SIZE); // BAD [NOT DETECTED]
98108
free(m);
99109
}
@@ -103,6 +113,7 @@ void func9(unsigned long long sz) {
103113
// x64 msvc v19.22: not deleted
104114
void func10(unsigned long long sz) {
105115
struct mem *m = (struct mem *)malloc(sizeof(struct mem));
116+
gets(m->b);
106117
memset(m, 0, PW_SIZE); // BAD [NOT DETECTED]
107118
m->a = sz;
108119
m->c = m->a + 1;
@@ -113,6 +124,7 @@ void func10(unsigned long long sz) {
113124
// x64 msvc v19.22: not deleted
114125
void func11(unsigned long long sz) {
115126
struct mem *m = (struct mem *)malloc(sizeof(struct mem));
127+
gets(m->b);
116128
::memset(m, 0, PW_SIZE); // BAD [NOT DETECTED]
117129
if (sz > 5) {
118130
strcpy(m->b, "Hello");
@@ -124,12 +136,14 @@ void func11(unsigned long long sz) {
124136
// x64 msvc v19.22: not deleted
125137
int func12(unsigned long long sz) {
126138
struct mem *m = (struct mem *)malloc(sizeof(struct mem));
139+
gets(m->b);
127140
memset(m, 0, sz); // GOOD
128141
return m->c;
129142
}
130143

131144
int funcN1() {
132145
char pw[PW_SIZE];
146+
gets(pw);
133147
char *pw_ptr = pw;
134148
memset(pw, 0, PW_SIZE); // GOOD
135149
use_pw(pw_ptr);
@@ -138,23 +152,25 @@ int funcN1() {
138152

139153
char pw_global[PW_SIZE];
140154
int funcN2() {
155+
gets(pw_global);
141156
use_pw(pw_global);
142157
memset(pw_global, 0, PW_SIZE); // GOOD
143158
return 0;
144159
}
145160

146161
int funcN3(unsigned long long sz) {
147162
struct mem m;
163+
gets(m.b);
148164
memset(&m, 0, sizeof(m)); // GOOD
149165
return m.a;
150166
}
151167

152168
void funcN(int num) {
153169
char pw[PW_SIZE];
154170
int i;
155-
156171
for (i = 0; i < num; i++)
157172
{
173+
gets(pw);
158174
use_pw(pw);
159175
memset(pw, 0, PW_SIZE); // GOOD
160176
}
@@ -193,11 +209,13 @@ void badFunc0_0(){
193209
}
194210

195211
void nobadFunc1_0() {
196-
unsigned char* buff1 = (unsigned char *) malloc(PW_SIZE);
212+
char* buff1 = (char *) malloc(PW_SIZE);
213+
gets(buff1);
197214
memset(buff1, 0, PW_SIZE); // BAD [NOT DETECTED]
198215
}
199216
void badFunc1_0(){
200-
unsigned char * buff1 = (unsigned char *) malloc(PW_SIZE);
217+
char * buff1 = (char *) malloc(PW_SIZE);
218+
gets(buff1);
201219
memset(buff1, 0, PW_SIZE); // BAD [NOT DETECTED]
202220
free(buff1);
203221
}
@@ -217,14 +235,16 @@ void nobadFunc2_0_0(){
217235
}
218236

219237
void nobadFunc2_0_1(){
220-
unsigned char buff1[PW_SIZE];
238+
char buff1[PW_SIZE];
239+
gets(buff1);
221240
memset(buff1, '\0', sizeof(buff1));
222241
memset(buff1, 0, PW_SIZE); // GOOD
223242
printf("%s", buff1 + 3);
224243
}
225244

226245
void nobadFunc2_0_2(){
227-
unsigned char buff1[PW_SIZE];
246+
char buff1[PW_SIZE];
247+
gets(buff1);
228248
memset(buff1, 0, PW_SIZE); // GOOD
229249
printf("%c", *buff1);
230250
}
@@ -238,14 +258,16 @@ void nobadFunc2_0_3(char ch){
238258
printf("%c", *(buff1 + 3));
239259
}
240260

241-
unsigned char * nobadFunc2_0_4(){
242-
unsigned char buff1[PW_SIZE];
261+
char * nobadFunc2_0_4(){
262+
char buff1[PW_SIZE];
263+
gets(buff1);
243264
memset(buff1, 0, PW_SIZE); // GOOD
244265
return buff1;
245266
}
246267

247-
unsigned char * nobadFunc2_0_5(){
248-
unsigned char buff1[PW_SIZE];
268+
char * nobadFunc2_0_5(){
269+
char buff1[PW_SIZE];
270+
gets(buff1);
249271
memset(buff1, 0, PW_SIZE); // GOOD
250272

251273
return buff1+3;
@@ -261,28 +283,31 @@ unsigned char nobadFunc2_0_6(){
261283
}
262284

263285
unsigned char nobadFunc2_0_7(){
264-
unsigned char buff1[PW_SIZE];
286+
char buff1[PW_SIZE];
287+
gets(buff1);
265288
memset(buff1, 0, PW_SIZE); // GOOD
266289

267290
return *(buff1 + 3);
268291
}
269292

270293
bool nobadFunc2_1_0(unsigned char ch){
271-
unsigned char buff1[PW_SIZE];
272-
294+
char buff1[PW_SIZE];
295+
gets(buff1);
273296
memset(buff1, 0, PW_SIZE); // GOOD
274297
if(*buff1 == ch) { return true; }
275298
return false;
276299
}
277300

278301
void nobadFunc2_1_2(){
279-
unsigned char buff1[PW_SIZE];
302+
char buff1[PW_SIZE];
303+
gets(buff1);
280304
memset(buff1, 0, PW_SIZE); // BAD [NOT DETECTED]
281305
buff1[2] = 5;
282306
}
283307

284-
void nobadFunc3_0(unsigned char * buffAll){
285-
unsigned char * buff1 = buffAll;
308+
void nobadFunc3_0(char * buffAll){
309+
char * buff1 = buffAll;
310+
gets(buff1);
286311
memset(buff1, 0, PW_SIZE); // GOOD
287312
}
288313

@@ -293,12 +318,13 @@ void nobadFunc3_1(unsigned char * buffAll){
293318

294319
struct buffers
295320
{
296-
unsigned char buff1[50];
321+
char buff1[50];
297322
unsigned char *buff2;
298323
};
299324

300325
void nobadFunc3_2(struct buffers buffAll) {
301-
unsigned char * buff1 = buffAll.buff1;
326+
char * buff1 = buffAll.buff1;
327+
gets(buff1);
302328
memset(buff1, 0, PW_SIZE); // GOOD
303329
}
304330

@@ -313,7 +339,7 @@ void nobadFunc3_4(struct buffers buffAll) {
313339
}
314340

315341
void nobadFunc3_5(struct buffers * buffAll) {
316-
unsigned char * buff1 = buffAll->buff1;
342+
char * buff1 = buffAll->buff1;
317343
memset(buff1, 0, PW_SIZE); // GOOD
318344
}
319345

@@ -322,26 +348,27 @@ void nobadFunc3_6(struct buffers *buffAll){
322348
memset(buff1, 0, PW_SIZE); // GOOD
323349
}
324350

325-
unsigned char * globalBuff;
351+
char * globalBuff;
326352

327353
void nobadFunc4(){
328-
unsigned char * buff1 = globalBuff;
354+
char * buff1 = globalBuff;
329355
memset(buff1, 0, PW_SIZE); // GOOD
330356
}
331357

332358
void nobadFunc4_0(){
333-
unsigned char * buff1 = globalBuff;
359+
char * buff1 = globalBuff;
360+
gets(buff1);
334361
memset(buff1, 0, PW_SIZE); // GOOD
335362
}
336363
void nobadFunc4_1(){
337-
unsigned char * buff1 = globalBuff + 3;
364+
char * buff1 = globalBuff + 3;
338365
memset(buff1, 0, PW_SIZE); // GOOD
339366
}
340367

341368
buffers globalBuff1, *globalBuff2;
342369

343370
void nobadFunc4_2(){
344-
unsigned char * buff1 = globalBuff1.buff1;
371+
char * buff1 = globalBuff1.buff1;
345372
memset(buff1, 0, PW_SIZE); // GOOD
346373
}
347374

@@ -356,7 +383,7 @@ void nobadFunc4_4(){
356383
}
357384

358385
void nobadFunc4_5(){
359-
unsigned char * buff1 = globalBuff2->buff1;
386+
char * buff1 = globalBuff2->buff1;
360387
memset(buff1, 0, PW_SIZE); // GOOD
361388
}
362389

0 commit comments

Comments
 (0)