codeql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql at 4a8fbba521b45e45bdc93fcb4226c258ac9ac35c · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/**
 * @name Dangerous use SSL_shutdown
 * @description Incorrect closing of the connection leads to the creation of different states for the server and client, which can be exploited by an attacker.
 * @kind problem
 * @id cpp/dangerous-use-of-ssl-shutdown
 * @problem.severity warning
 * @precision medium
 * @tags correctness
 *       security
 *       experimental
 *       external/cwe/cwe-670
 */

import cpp
import semmle.code.cpp.commons.Exclusions
import semmle.code.cpp.valuenumbering.GlobalValueNumbering

from FunctionCall fc, FunctionCall fc1
where
  fc != fc1 and
  fc.getASuccessor+() = fc1 and
  fc.getTarget().hasName("SSL_shutdown") and
  fc1.getTarget().hasName("SSL_shutdown") and
  fc1 instanceof ExprInVoidContext and
  (
    globalValueNumber(fc.getArgument(0)) = globalValueNumber(fc1.getArgument(0)) or
    fc.getArgument(0).(VariableAccess).getTarget() = fc1.getArgument(0).(VariableAccess).getTarget()
  ) and
  not exists(FunctionCall fctmp |
    fctmp.getTarget().hasName("SSL_free") and
    fc.getASuccessor+() = fctmp and
    fctmp.getASuccessor+() = fc1
  )
select fc, "You need to handle the return value 'SSL_shutdown'."