diff options
| author | Anna Zaks <ganna@apple.com> | 2012-01-18 02:45:07 +0000 |
|---|---|---|
| committer | Anna Zaks <ganna@apple.com> | 2012-01-18 02:45:07 +0000 |
| commit | 5d324e509cb6147412a4484b23ac05940f04b434 (patch) | |
| tree | 4d86c5be987e267df648c93958b41070b4de049d /clang/test/Analysis/taint-generic.c | |
| parent | 28db7ceabd3ff35e90a70a6042db640e98ea8a37 (diff) | |
| download | bcm5719-llvm-5d324e509cb6147412a4484b23ac05940f04b434.tar.gz bcm5719-llvm-5d324e509cb6147412a4484b23ac05940f04b434.zip | |
[analyzer] Taint: add taint propagation rules for string and memory copy
functions.
llvm-svn: 148370
Diffstat (limited to 'clang/test/Analysis/taint-generic.c')
| -rw-r--r-- | clang/test/Analysis/taint-generic.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c index 0f8996674c8..2d00f4daa91 100644 --- a/clang/test/Analysis/taint-generic.c +++ b/clang/test/Analysis/taint-generic.c @@ -22,6 +22,7 @@ static char *__inline_strcpy_chk (char *dest, const char *src) { } char *stpcpy(char *restrict s1, const char *restrict s2); char *strncpy( char * destination, const char * source, size_t num ); +char *strndup(const char *s, size_t n); #define BUFSIZE 10 @@ -86,9 +87,18 @@ void testUncontrolledFormatString(char **p) { stpcpy(spcpy, s); setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} + char *spcpyret; + spcpyret = stpcpy(spcpy, s); + setproctitle(spcpyret, 3); // expected-warning {{Uncontrolled Format String}} + char sncpy[80]; strncpy(sncpy, s, 20); setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} + + char *dup; + dup = strndup(s, 20); + setproctitle(dup, 3); // expected-warning {{Uncontrolled Format String}} + } int system(const char *command); @@ -97,4 +107,24 @@ void testTaintSystemCall() { char addr[128]; scanf("%s", addr); system(addr); // expected-warning {{Tainted data passed to a system call}} + + // Test that spintf transfers taint. + sprintf(buffer, "/bin/mail %s < /tmp/email", addr); + system(buffer); // expected-warning {{Tainted data passed to a system call}} +} +void testTaintSystemCall2() { + // Test that snpintf transfers taint. + char buffern[156]; + char addr[128]; + scanf("%s", addr); + __builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr); + system(buffern); // expected-warning {{Tainted data passed to a system call}} +} +void testTaintSystemCall3() { + char buffern2[156]; + int numt; + char addr[128]; + scanf("%s %d", addr, &numt); + __builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd"); + system(buffern2); // expected-warning {{Tainted data passed to a system call}} } |
