cppcheck/lib/checkbufferoverrun.h

320 lines
13 KiB
C
Raw Normal View History

/*
* Cppcheck - A tool for static C/C++ code analysis
2019-02-09 07:24:06 +01:00
* Copyright (C) 2007-2019 Cppcheck team.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
//---------------------------------------------------------------------------
#ifndef checkbufferoverrunH
#define checkbufferoverrunH
//---------------------------------------------------------------------------
2009-03-20 17:35:53 +01:00
#include "check.h"
2017-05-27 04:33:47 +02:00
#include "config.h"
#include "errorlogger.h"
#include "mathlib.h"
2017-05-27 04:33:47 +02:00
#include "tokenize.h"
2017-05-27 04:33:47 +02:00
#include <cstddef>
#include <list>
2017-05-27 04:33:47 +02:00
#include <map>
#include <string>
2017-05-27 04:33:47 +02:00
#include <vector>
class Settings;
class SymbolDatabase;
class Token;
namespace ValueFlow {
2017-05-28 15:56:26 +02:00
class Value;
2017-05-27 04:33:47 +02:00
} // namespace ValueFlow
namespace tinyxml2 {
2017-05-28 15:56:26 +02:00
class XMLElement;
2017-05-27 04:33:47 +02:00
} // namespace tinyxml2
// CWE ids used
static const struct CWE CWE119(119U); // Improper Restriction of Operations within the Bounds of a Memory Buffer
class Variable;
/// @addtogroup Checks
/// @{
/**
* @brief buffer overruns and array index out of bounds
*
* Buffer overrun and array index out of bounds are pretty much the same.
* But I generally use 'array index' if the code contains []. And the given
* index is out of bounds.
* I generally use 'buffer overrun' if you for example call a strcpy or
* other function and pass a buffer and reads or writes too much data.
*/
class CPPCHECKLIB CheckBufferOverrun : public Check {
public:
2009-03-20 17:35:53 +01:00
/** This constructor is used when registering the CheckClass */
2018-06-17 17:20:16 +02:00
CheckBufferOverrun() : Check(myName()) {
}
2009-03-20 17:35:53 +01:00
2010-03-17 22:16:18 +01:00
/** This constructor is used when running checks. */
2009-07-13 16:00:15 +02:00
CheckBufferOverrun(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger)
2018-06-17 17:20:16 +02:00
: Check(myName(), tokenizer, settings, errorLogger) {
}
2009-03-20 17:35:53 +01:00
void runSimplifiedChecks(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger) OVERRIDE {
2009-07-13 16:00:15 +02:00
CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
checkBufferOverrun.checkGlobalAndLocalVariable();
2016-07-10 22:24:28 +02:00
if (tokenizer && tokenizer->isMaxTime())
return;
checkBufferOverrun.checkStructVariable();
checkBufferOverrun.checkBufferAllocatedWithStrlen();
checkBufferOverrun.checkInsecureCmdLineArgs();
checkBufferOverrun.arrayIndexThenCheck();
checkBufferOverrun.negativeArraySize();
2009-03-20 17:35:53 +01:00
}
void runChecks(const Tokenizer *tokenizer, const Settings *settings, ErrorLogger *errorLogger) OVERRIDE {
CheckBufferOverrun checkBufferOverrun(tokenizer, settings, errorLogger);
checkBufferOverrun.bufferOverrun();
checkBufferOverrun.checkStringArgument();
}
/** @brief %Check for buffer overruns (single pass, use ast and valueflow) */
void bufferOverrun();
/** @brief Using array index before bounds check */
void arrayIndexThenCheck();
/** @brief negative size for array */
void negativeArraySize();
/**
* @brief Get minimum length of format string result
* @param input_string format string
* @param parameters given parameters to sprintf
* @return minimum length of resulting string
*/
static MathLib::biguint countSprintfLength(const std::string &input_string, const std::list<const Token*> &parameters);
/** Check for buffer overruns - locate struct variables and check them with the .._CheckScope function */
void checkStructVariable();
/** Check for buffer overruns - locate global variables and local function variables and check them with the checkScope function */
void checkGlobalAndLocalVariable();
/** Check for buffer overruns due to allocating strlen(src) bytes instead of (strlen(src)+1) bytes before copying a string */
void checkBufferAllocatedWithStrlen();
2010-06-02 18:09:25 +02:00
/** Check string argument buffer overruns */
void checkStringArgument();
/** Check for buffer overruns due to copying command-line args to fixed-sized buffers without bounds checking */
void checkInsecureCmdLineArgs();
/** Information about N-dimensional array */
class CPPCHECKLIB ArrayInfo {
private:
/** number of elements of array */
2018-06-17 17:20:16 +02:00
std::vector<MathLib::bigint> mNum;
/** full name of variable as pattern */
2018-06-17 17:20:16 +02:00
std::string mVarName;
/** size of each element in array */
2018-06-17 17:20:16 +02:00
MathLib::bigint mElementSize;
/** declaration id */
2018-06-17 17:20:16 +02:00
unsigned int mDeclarationId;
2010-04-18 19:46:45 +02:00
public:
ArrayInfo();
ArrayInfo(const Variable *var, const SymbolDatabase *symbolDatabase, const unsigned int forcedeclid = 0);
/**
* Create array info with specified data
* The intention is that this is only a temporary solution.. all
* checking should be based on ArrayInfo from the start and then
* this will not be needed as the declare can be used instead.
*/
2010-12-31 09:30:56 +01:00
ArrayInfo(unsigned int id, const std::string &name, MathLib::bigint size1, MathLib::bigint n);
2010-04-24 21:48:58 +02:00
/** Create a copy ArrayInfo where the number of elements have been limited by a value */
ArrayInfo limit(MathLib::bigint value) const;
2010-04-24 21:48:58 +02:00
/** array sizes */
2014-11-20 14:20:09 +01:00
const std::vector<MathLib::bigint> &num() const {
2018-06-17 17:20:16 +02:00
return mNum;
}
/** array size */
2014-11-20 14:20:09 +01:00
MathLib::bigint num(std::size_t index) const {
2018-06-17 17:20:16 +02:00
return mNum[index];
}
2014-11-20 14:20:09 +01:00
void num(std::size_t index, MathLib::bigint number) {
2018-06-17 17:20:16 +02:00
mNum[index] = number;
}
/** size of each element */
2014-11-20 14:20:09 +01:00
MathLib::bigint element_size() const {
2018-06-17 17:20:16 +02:00
return mElementSize;
}
2010-04-18 19:46:45 +02:00
/** Variable name */
2014-11-20 14:20:09 +01:00
unsigned int declarationId() const {
2018-06-17 17:20:16 +02:00
return mDeclarationId;
}
2014-11-20 14:20:09 +01:00
void declarationId(unsigned int id) {
2018-06-17 17:20:16 +02:00
mDeclarationId = id;
}
2010-04-18 19:46:45 +02:00
/** Variable name */
2014-11-20 14:20:09 +01:00
const std::string &varname() const {
2018-06-17 17:20:16 +02:00
return mVarName;
}
2014-11-20 14:20:09 +01:00
void varname(const std::string &name) {
2018-06-17 17:20:16 +02:00
mVarName = name;
}
2015-11-08 12:39:08 +01:00
MathLib::bigint numberOfElements() const;
MathLib::bigint totalIndex(const std::vector<ValueFlow::Value> &indexes) const;
};
/** Check for buffer overruns (based on ArrayInfo) */
void checkScope(const Token *tok, const ArrayInfo &arrayInfo);
void checkScope(const Token *tok, std::map<unsigned int, ArrayInfo> arrayInfos);
void checkScope_inner(const Token *tok, const ArrayInfo &arrayInfo);
/** Check for buffer overruns */
void checkScope(const Token *tok, const std::vector<const std::string*> &varname, const ArrayInfo &arrayInfo);
/**
* Helper function for checkFunctionCall - check a function parameter
* \param ftok token for the function name
* \param paramIndex on what parameter is the array used
* \param arrayInfo the array information
* \param callstack call stack. This is used to prevent recursion and to provide better error messages. Pass a empty list from checkScope etc.
*/
void checkFunctionParameter(const Token &ftok, const unsigned int paramIndex, const ArrayInfo &arrayInfo, const std::list<const Token *>& callstack);
/**
* Helper function that checks if the array is used and if so calls the checkFunctionCall
* @param tok token that matches "%name% ("
* @param arrayInfo the array information
* \param callstack call stack. This is used to prevent recursion and to provide better error messages. Pass a empty list from checkScope etc.
*/
void checkFunctionCall(const Token *tok, const ArrayInfo &arrayInfo, std::list<const Token *> callstack);
void arrayIndexOutOfBoundsError(const Token *tok, const ArrayInfo &arrayInfo, const std::vector<MathLib::bigint> &index);
void arrayIndexOutOfBoundsError(const Token *tok, const ArrayInfo &arrayInfo, const std::vector<ValueFlow::Value> &index);
/* data for multifile checking */
class MyFileInfo : public Check::FileInfo {
public:
std::string toString() const OVERRIDE;
2016-10-29 12:18:11 +02:00
struct ArrayUsage {
MathLib::bigint index;
std::string fileName;
unsigned int linenr;
};
/* key:arrayName */
2015-08-15 19:16:48 +02:00
std::map<std::string, ArrayUsage> arrayUsage;
/* key:arrayName, data:arraySize */
std::map<std::string, MathLib::bigint> arraySize;
};
/** @brief Parse current TU and extract file info */
Check::FileInfo *getFileInfo(const Tokenizer *tokenizer, const Settings *settings) const OVERRIDE;
Check::FileInfo * loadFileInfoFromXml(const tinyxml2::XMLElement *xmlElement) const OVERRIDE;
/** @brief Analyse all file infos for all TU */
bool analyseWholeProgram(const CTU::FileInfo *ctu, const std::list<Check::FileInfo*> &fileInfo, const Settings& settings, ErrorLogger &errorLogger) OVERRIDE;
/**
* Calculates sizeof value for given type.
* @param type Token which will contain e.g. "int", "*", or string.
* @return sizeof for given type, or 0 if it can't be calculated.
*/
unsigned int sizeOfType(const Token *type) const;
private:
static bool isArrayOfStruct(const Token* tok, int &position);
void arrayIndexOutOfBoundsError(const std::list<const Token *> &callstack, const ArrayInfo &arrayInfo, const std::vector<MathLib::bigint> &index);
void bufferOverrunError(const Token *tok, const std::string &varnames = emptyString);
void bufferOverrunError(const std::list<const Token *> &callstack, const std::string &varnames = emptyString);
void strncatUsageError(const Token *tok);
void negativeMemoryAllocationSizeError(const Token *tok); // provide a negative value to memory allocation function
void negativeArraySizeError(const Token *tok);
void outOfBoundsError(const Token *tok, const std::string &what, const bool show_size_info, const MathLib::bigint &supplied_size, const MathLib::bigint &actual_size);
void sizeArgumentAsCharError(const Token *tok);
void terminateStrncpyError(const Token *tok, const std::string &varname);
void bufferNotZeroTerminatedError(const Token *tok, const std::string &varname, const std::string &function);
void negativeIndexError(const Token *tok, MathLib::bigint index);
void negativeIndexError(const Token *tok, const ValueFlow::Value &index);
void cmdLineArgsError(const Token *tok);
void pointerOutOfBoundsError(const Token *tok, const Token *index=nullptr, const MathLib::bigint indexvalue=0);
void arrayIndexThenCheckError(const Token *tok, const std::string &indexName);
void possibleBufferOverrunError(const Token *tok, const std::string &src, const std::string &dst, bool cat);
void argumentSizeError(const Token *tok, const std::string &functionName, const std::string &varname);
void valueFlowCheckArrayIndex(const Token * const tok, const ArrayInfo &arrayInfo);
public:
void getErrorMessages(ErrorLogger *errorLogger, const Settings *settings) const OVERRIDE {
CheckBufferOverrun c(nullptr, settings, errorLogger);
2015-08-15 19:16:48 +02:00
const std::vector<MathLib::bigint> indexes(2, 1);
c.arrayIndexOutOfBoundsError(nullptr, ArrayInfo(0, "array", 1, 2), indexes);
c.bufferOverrunError(nullptr, std::string("buffer"));
c.strncatUsageError(nullptr);
c.outOfBoundsError(nullptr, "index", true, 2, 1);
c.sizeArgumentAsCharError(nullptr);
c.terminateStrncpyError(nullptr, "buffer");
c.bufferNotZeroTerminatedError(nullptr, "buffer", "strncpy");
c.negativeIndexError(nullptr, -1);
c.cmdLineArgsError(nullptr);
c.pointerOutOfBoundsError(nullptr, nullptr, 0);
c.arrayIndexThenCheckError(nullptr, "index");
c.possibleBufferOverrunError(nullptr, "source", "destination", false);
c.argumentSizeError(nullptr, "function", "array");
c.negativeMemoryAllocationSizeError(nullptr);
c.negativeArraySizeError(nullptr);
c.reportError(nullptr, Severity::warning, "arrayIndexOutOfBoundsCond", "Array 'x[10]' accessed at index 20, which is out of bounds. Otherwise condition 'y==20' is redundant.", CWE119, false);
}
private:
2014-11-20 14:20:09 +01:00
static std::string myName() {
2009-06-12 15:20:08 +02:00
return "Bounds checking";
}
std::string classInfo() const OVERRIDE {
return "Out of bounds checking:\n"
"- Array index out of bounds detection by value flow analysis\n"
"- Dangerous usage of strncat()\n"
"- char constant passed as size to function like memset()\n"
"- strncpy() leaving string unterminated\n"
"- Accessing array with negative index\n"
"- Unsafe usage of main(argv, argc) arguments\n"
"- Accessing array with index variable before checking its value\n"
"- Check for large enough arrays being passed to functions\n"
"- Allocating memory with a negative size\n";
}
};
/// @}
//---------------------------------------------------------------------------
#endif // checkbufferoverrunH