-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathSuspiciousAddWithSizeof.ql
More file actions
34 lines (31 loc) · 1.05 KB
/
SuspiciousAddWithSizeof.ql
File metadata and controls
34 lines (31 loc) · 1.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
/**
* @name Suspicious add with sizeof
* @description Explicitly scaled pointer arithmetic expressions
* can cause buffer overflow conditions if the offset is also
* implicitly scaled.
* @kind problem
* @problem.severity warning
* @security-severity 8.8
* @precision high
* @id cpp/suspicious-add-sizeof
* @tags security
* external/cwe/cwe-468
*/
import cpp
import IncorrectPointerScalingCommon
private predicate isCharSzPtrExpr(Expr e) {
exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
pt.getBaseType() instanceof CharType or
pt.getBaseType() instanceof VoidType
)
}
from Expr sizeofExpr, Expr e
where
// If we see an addWithSizeof then we expect the type of
// the pointer expression to be `char*` or `void*`. Otherwise it
// is probably a mistake.
addWithSizeof(e, sizeofExpr, _) and
not isCharSzPtrExpr(e)
select sizeofExpr,
"Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.",
e.getFullyConverted().getType() as t, t.toString()