diff options
| author | Anna Zaks <ganna@apple.com> | 2012-01-12 02:22:34 +0000 |
|---|---|---|
| committer | Anna Zaks <ganna@apple.com> | 2012-01-12 02:22:34 +0000 |
| commit | 1fb826a6fd893234f32b0b91bb92ea4d127788ad (patch) | |
| tree | a146fb7bf4be12981dc3e6ce6938a7c250e053b0 /test/Analysis/taint-generic.c | |
| parent | e9c876044b7fe9560128a41d511426c014bf5d3f (diff) | |
[analyzer] Add taint transfer by strcpy & others (part 1).
To simplify the process:
Refactor taint generation checker to simplify passing the
information on which arguments need to be tainted from pre to post
visit.
Todo: We need to factor out the code that sema is using to identify the
string and memcpy functions and use it here and in the CString checker.
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@148010 91177308-0d34-0410-b5e6-96231b3b80d8
Diffstat (limited to 'test/Analysis/taint-generic.c')
| -rw-r--r-- | test/Analysis/taint-generic.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/test/Analysis/taint-generic.c b/test/Analysis/taint-generic.c index a23d20f79f..fd9884d3fa 100644 --- a/test/Analysis/taint-generic.c +++ b/test/Analysis/taint-generic.c @@ -3,6 +3,26 @@ int scanf(const char *restrict format, ...); int getchar(void); +typedef struct _FILE FILE; +extern FILE *stdin; +int fscanf(FILE *restrict stream, const char *restrict format, ...); +int sprintf(char *str, const char *format, ...); +void setproctitle(const char *fmt, ...); +typedef __typeof(sizeof(int)) size_t; + +// Define string functions. Use builtin for some of them. They all default to +// the processing in the taint checker. +#define strcpy(dest, src) \ + ((__builtin_object_size(dest, 0) != -1ULL) \ + ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ + : __inline_strcpy_chk(dest, src)) + +static char *__inline_strcpy_chk (char *dest, const char *src) { + return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); +} +char *stpcpy(char *restrict s1, const char *restrict s2); +char *strncpy( char * destination, const char * source, size_t num ); + #define BUFSIZE 10 int Buffer[BUFSIZE]; @@ -47,16 +67,23 @@ void bufferGetchar(int x) { Buffer[m] = 1; //expected-warning {{Out of bound memory access }} } -typedef struct _FILE FILE; -extern FILE *stdin; -int fscanf(FILE *restrict stream, const char *restrict format, ...); -int sprintf(char *str, const char *format, ...); -void setproctitle(const char *fmt, ...); - -void testUncontrolledFormatString() { +void testUncontrolledFormatString(char **p) { char s[80]; fscanf(stdin, "%s", s); char buf[128]; sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} + + // Test taint propagation through strcpy and family. + char scpy[80]; + strcpy(scpy, s); + sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} + + char spcpy[80]; + stpcpy(spcpy, s); + setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} + + char sncpy[80]; + strncpy(sncpy, s, 20); + setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} } |