Skip to content

Commit

Permalink
[analyzer] Don't flag strcpy of string literals into sufficiently lar…
Browse files Browse the repository at this point in the history
…ge buffers.

In the security package, we have a simple syntactic check that warns about
strcpy() being insecure, due to potential buffer overflows.

Suppress that check's warning in the trivial situation when the source is an
immediate null-terminated string literal and the target is an immediate
sufficiently large buffer.

Patch by András Leitereg!

Differential Revision: https://reviews.llvm.org/D41384

llvm-svn: 322410
  • Loading branch information
haoNoQ committed Jan 12, 2018
1 parent 59e4e40 commit 1ebd1c4
Showing 2 changed files with 21 additions and 0 deletions.
11 changes: 11 additions & 0 deletions clang/lib/StaticAnalyzer/Checkers/CheckSecuritySyntaxOnly.cpp
Original file line number Diff line number Diff line change
@@ -510,6 +510,17 @@ void WalkAST::checkCall_strcpy(const CallExpr *CE, const FunctionDecl *FD) {
if (!checkCall_strCommon(CE, FD))
return;

const auto *Target = CE->getArg(0)->IgnoreImpCasts(),
*Source = CE->getArg(1)->IgnoreImpCasts();
if (const auto *DeclRef = dyn_cast<DeclRefExpr>(Target))
if (const auto *Array = dyn_cast<ConstantArrayType>(DeclRef->getType())) {
uint64_t ArraySize = BR.getContext().getTypeSize(Array) / 8;
if (const auto *String = dyn_cast<StringLiteral>(Source)) {
if (ArraySize >= String->getLength() + 1)
return;
}
}

// Issue a warning.
PathDiagnosticLocation CELoc =
PathDiagnosticLocation::createBegin(CE, BR.getSourceManager(), AC);
10 changes: 10 additions & 0 deletions clang/test/Analysis/security-syntax-checks.m
Original file line number Diff line number Diff line change
@@ -146,6 +146,16 @@ void test_strcpy() {
strcpy(x, y); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
}

void test_strcpy_2() {
char x[4];
strcpy(x, "abcd"); //expected-warning{{Call to function 'strcpy' is insecure as it does not provide bounding of the memory buffer. Replace unbounded copy functions with analogous functions that support length arguments such as 'strlcpy'. CWE-119}}
}

void test_strcpy_safe() {
char x[5];
strcpy(x, "abcd");
}

//===----------------------------------------------------------------------===
// strcat()
//===----------------------------------------------------------------------===

0 comments on commit 1ebd1c4

Please sign in to comment.