codeql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql at cc89b6ea919eb619ee932c2008fca5bbdeb4da08 · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/**
 * @name Suspicious add with sizeof
 * @description Explicitly scaled pointer arithmetic expressions
 *              can cause buffer overflow conditions if the offset is also
 *              implicitly scaled.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.8
 * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
 *       external/cwe/cwe-468
 */

import cpp
import IncorrectPointerScalingCommon

private predicate isCharSzPtrExpr(Expr e) {
  exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
    pt.getBaseType() instanceof CharType or
    pt.getBaseType() instanceof VoidType or
    pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
  )
}

from Expr sizeofExpr, Expr e
where
  // If we see an addWithSizeof then we expect the type of
  // the pointer expression to be `char*` or `void*`. Otherwise it
  // is probably a mistake.
  addWithSizeof(e, sizeofExpr, _) and
  not isCharSzPtrExpr(e)
select sizeofExpr,
  "Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.",
  e.getFullyConverted().getType() as t, t.toString()