25 #include "llvm/ADT/SmallString.h"
26 #include "llvm/Support/raw_ostream.h"
28 using namespace clang;
33 const CheckerBase *Checker;
38 bool sameDecl(
const Expr *A1,
const Expr *A2) {
41 return D1->
getDecl() == D2->getDecl();
46 bool isSizeof(
const Expr *E,
const Expr *WithArg) {
47 if (
const auto *UE = dyn_cast<UnaryExprOrTypeTraitExpr>(E))
48 if (UE->getKind() == UETT_SizeOf && !UE->isArgumentType())
49 return sameDecl(UE->getArgumentExpr(), WithArg);
54 bool isStrlen(
const Expr *E,
const Expr *WithArg) {
55 if (
const auto *CE = dyn_cast<CallExpr>(E)) {
60 sameDecl(CE->getArg(0), WithArg));
66 bool isOne(
const Expr *E) {
67 if (
const auto *IL = dyn_cast<IntegerLiteral>(E))
68 return (IL->getValue().isIntN(1));
72 StringRef getPrintableName(
const Expr *E) {
80 bool containsBadStrncatPattern(
const CallExpr *CE);
101 bool containsBadStrlcpyStrlcatPattern(
const CallExpr *CE);
105 : Checker(Checker), BR(BR), AC(AC) {}
108 void VisitChildren(
Stmt *S);
109 void VisitStmt(
Stmt *S) {
122 bool WalkAST::containsBadStrncatPattern(
const CallExpr *CE) {
130 if (
const auto *BE = dyn_cast<BinaryOperator>(LenArg->
IgnoreParenCasts())) {
132 if (BE->getOpcode() == BO_Sub) {
133 const Expr *L = BE->getLHS();
134 const Expr *R = BE->getRHS();
135 if (isSizeof(L, DstArg) && isStrlen(R, DstArg))
144 if (isSizeof(LenArg, DstArg))
148 if (isSizeof(LenArg, SrcArg))
153 bool WalkAST::containsBadStrlcpyStrlcatPattern(
const CallExpr *CE) {
160 const auto *LenArgDRE =
163 if (isSizeof(LenArg, DstArg))
168 const auto *LenArgVal = dyn_cast<VarDecl>(LenArgDRE->getDecl());
171 assert(isa<EnumConstantDecl>(LenArgDRE->getDecl()));
174 if (LenArgVal->getInit())
175 LenArg = LenArgVal->getInit();
182 uint64_t ILRawVal = IL->getValue().getZExtValue();
190 DstArgDRE = dyn_cast<DeclRefExpr>(BE->getLHS()->IgnoreParenImpCasts());
191 if (BE->getOpcode() == BO_Add) {
192 if ((IL = dyn_cast<IntegerLiteral>(BE->getRHS()->IgnoreParenImpCasts()))) {
193 DstOff = IL->getValue().getZExtValue();
199 if (
const auto *Buffer =
200 dyn_cast<ConstantArrayType>(DstArgDRE->getType())) {
202 uint64_t BufferLen =
C.getTypeSize(Buffer) / 8;
203 auto RemainingBufferLen = BufferLen - DstOff;
204 if (RemainingBufferLen < ILRawVal)
213 void WalkAST::VisitCallExpr(
CallExpr *CE) {
219 if (containsBadStrncatPattern(CE)) {
222 PathDiagnosticLocation Loc =
225 StringRef DstName = getPrintableName(DstArg);
228 llvm::raw_svector_ostream os(S);
229 os <<
"Potential buffer overflow. ";
230 if (!DstName.empty()) {
231 os <<
"Replace with 'sizeof(" << DstName <<
") "
232 "- strlen(" << DstName <<
") - 1'";
236 os <<
"se a safer 'strlcat' API";
238 BR.EmitBasicReport(FD, Checker,
"Anti-pattern in the argument",
239 "C String API", os.str(), Loc,
244 if (containsBadStrlcpyStrlcatPattern(CE)) {
247 PathDiagnosticLocation Loc =
250 StringRef DstName = getPrintableName(DstArg);
253 llvm::raw_svector_ostream os(S);
254 os <<
"The third argument allows to potentially copy more bytes than it should. ";
255 os <<
"Replace with the value ";
256 if (!DstName.empty())
257 os <<
"sizeof(" << DstName <<
")";
259 os <<
"sizeof(<destination buffer>)";
262 BR.EmitBasicReport(FD, Checker,
"Anti-pattern in the argument",
263 "C String API", os.str(), Loc,
272 void WalkAST::VisitChildren(
Stmt *S) {
273 for (
Stmt *Child : S->children())
279 class CStringSyntaxChecker:
public Checker<check::ASTCodeBody> {
282 void checkASTCodeBody(
const Decl *D, AnalysisManager& Mgr,
283 BugReporter &BR)
const {
284 WalkAST walker(
this, BR, Mgr.getAnalysisDeclContext(D));
290 void ento::registerCStringSyntaxChecker(CheckerManager &mgr) {
291 mgr.registerChecker<CStringSyntaxChecker>();
294 bool ento::shouldRegisterCStringSyntaxChecker(
const CheckerManager &mgr) {