summaryrefslogtreecommitdiffstats
path: root/clang/test
diff options
context:
space:
mode:
authorAnna Zaks <ganna@apple.com>2012-01-18 02:45:11 +0000
committerAnna Zaks <ganna@apple.com>2012-01-18 02:45:11 +0000
commit560dbe9ac942e16d1ee3e4f99a7e2a3be652689b (patch)
tree35d869f8c0790e692c3590d6aecd9f0391549913 /clang/test
parent5d324e509cb6147412a4484b23ac05940f04b434 (diff)
downloadbcm5719-llvm-560dbe9ac942e16d1ee3e4f99a7e2a3be652689b.tar.gz
bcm5719-llvm-560dbe9ac942e16d1ee3e4f99a7e2a3be652689b.zip
[analyzer] Taint: warn when tainted data is used to specify a buffer
size (Ex: in malloc, memcpy, strncpy..) (Maybe some of this could migrate to the CString checker. One issue with that is that we might want to separate security issues from regular API misuse.) llvm-svn: 148371
Diffstat (limited to 'clang/test')
-rw-r--r--clang/test/Analysis/taint-generic.c22
1 files changed, 22 insertions, 0 deletions
diff --git a/clang/test/Analysis/taint-generic.c b/clang/test/Analysis/taint-generic.c
index 2d00f4daa91..c50f7193445 100644
--- a/clang/test/Analysis/taint-generic.c
+++ b/clang/test/Analysis/taint-generic.c
@@ -23,6 +23,11 @@ static char *__inline_strcpy_chk (char *dest, const char *src) {
char *stpcpy(char *restrict s1, const char *restrict s2);
char *strncpy( char * destination, const char * source, size_t num );
char *strndup(const char *s, size_t n);
+char *strncat(char *restrict s1, const char *restrict s2, size_t n);
+
+void *malloc(size_t);
+void *calloc(size_t nmemb, size_t size);
+void bcopy(void *s1, void *s2, size_t n);
#define BUFSIZE 10
@@ -112,6 +117,7 @@ void testTaintSystemCall() {
sprintf(buffer, "/bin/mail %s < /tmp/email", addr);
system(buffer); // expected-warning {{Tainted data passed to a system call}}
}
+
void testTaintSystemCall2() {
// Test that snpintf transfers taint.
char buffern[156];
@@ -120,6 +126,7 @@ void testTaintSystemCall2() {
__builtin_snprintf(buffern, 10, "/bin/mail %s < /tmp/email", addr);
system(buffern); // expected-warning {{Tainted data passed to a system call}}
}
+
void testTaintSystemCall3() {
char buffern2[156];
int numt;
@@ -128,3 +135,18 @@ void testTaintSystemCall3() {
__builtin_snprintf(buffern2, numt, "/bin/mail %s < /tmp/email", "abcd");
system(buffern2); // expected-warning {{Tainted data passed to a system call}}
}
+
+void testTaintedBufferSize() {
+ size_t ts;
+ scanf("%zd", &ts);
+
+ int *buf1 = (int*)malloc(ts*sizeof(int)); // expected-warning {{Tainted data is used to specify the buffer size}}
+ char *dst = (char*)calloc(ts, sizeof(char)); //expected-warning {{Tainted data is used to specify the buffer size}}
+ bcopy(buf1, dst, ts); // expected-warning {{Tainted data is used to specify the buffer size}}
+ __builtin_memcpy(dst, buf1, (ts + 4)*sizeof(char)); // expected-warning {{Tainted data is used to specify the buffer size}}
+
+ // If both buffers are trusted, do not issue a warning.
+ char *dst2 = (char*)malloc(ts*sizeof(char)); // expected-warning {{Tainted data is used to specify the buffer size}}
+ strncat(dst2, dst, ts); // no-warning
+
+}
OpenPOWER on IntegriCloud