diff options
| author | Anna Zaks <ganna@apple.com> | 2012-01-12 02:22:34 +0000 |
|---|---|---|
| committer | Anna Zaks <ganna@apple.com> | 2012-01-12 02:22:34 +0000 |
| commit | b3fa8d7dd15f52f7e18e9f11dc840399e3446e26 (patch) | |
| tree | 6360791613212f9b9ba9c69e63b6546bc658e8fb /clang/test/Analysis/taint-generic.c | |
| parent | fc6be102ae7b924813345a21ec0a07960606559f (diff) | |
| download | bcm5719-llvm-b3fa8d7dd15f52f7e18e9f11dc840399e3446e26.tar.gz bcm5719-llvm-b3fa8d7dd15f52f7e18e9f11dc840399e3446e26.zip | |
[analyzer] Add taint transfer by strcpy & others (part 1).
To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.
Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.
llvm-svn: 148010
Diffstat (limited to 'clang/test/Analysis/taint-generic.c')
| -rw-r--r-- | clang/test/Analysis/taint-generic.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c index a23d20f79f0..fd9884d3fa8 100644 --- a/clang/test/Analysis/taint-generic.c +++ b/clang/test/Analysis/taint-generic.c @@ -3,6 +3,26 @@ int scanf(const char *restrict format, ...); int getchar(void); +typedef struct _FILE FILE; +extern FILE *stdin; +int fscanf(FILE *restrict stream, const char *restrict format, ...); +int sprintf(char *str, const char *format, ...); +void setproctitle(const char *fmt, ...); +typedef __typeof(sizeof(int)) size_t; + +// Define string functions. Use builtin for some of them. They all default to +// the processing in the taint checker. +#define strcpy(dest, src) \ + ((__builtin_object_size(dest, 0) != -1ULL) \ + ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ + : __inline_strcpy_chk(dest, src)) + +static char *__inline_strcpy_chk (char *dest, const char *src) { + return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); +} +char *stpcpy(char *restrict s1, const char *restrict s2); +char *strncpy( char * destination, const char * source, size_t num ); + #define BUFSIZE 10 int Buffer[BUFSIZE]; @@ -47,16 +67,23 @@ void bufferGetchar(int x) { Buffer[m] = 1; //expected-warning {{Out of bound memory access }} } -typedef struct _FILE FILE; -extern FILE *stdin; -int fscanf(FILE *restrict stream, const char *restrict format, ...); -int sprintf(char *str, const char *format, ...); -void setproctitle(const char *fmt, ...); - -void testUncontrolledFormatString() { +void testUncontrolledFormatString(char **p) { char s[80]; fscanf(stdin, "%s", s); char buf[128]; sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} + + // Test taint propagation through strcpy and family. + char scpy[80]; + strcpy(scpy, s); + sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} + + char spcpy[80]; + stpcpy(spcpy, s); + setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} + + char sncpy[80]; + strncpy(sncpy, s, 20); + setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} } |
