taint-generic.c revision 1fb826a6fd893234f32b0b91bb92ea4d127788ad
1// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,experimental.security.ArrayBoundV2 -Wno-format-security -verify %s 2 3int scanf(const char *restrict format, ...); 4int getchar(void); 5 6typedef struct _FILE FILE; 7extern FILE *stdin; 8int fscanf(FILE *restrict stream, const char *restrict format, ...); 9int sprintf(char *str, const char *format, ...); 10void setproctitle(const char *fmt, ...); 11typedef __typeof(sizeof(int)) size_t; 12 13// Define string functions. Use builtin for some of them. They all default to 14// the processing in the taint checker. 15#define strcpy(dest, src) \ 16 ((__builtin_object_size(dest, 0) != -1ULL) \ 17 ? __builtin___strcpy_chk (dest, src, __builtin_object_size(dest, 1)) \ 18 : __inline_strcpy_chk(dest, src)) 19 20static char *__inline_strcpy_chk (char *dest, const char *src) { 21 return __builtin___strcpy_chk(dest, src, __builtin_object_size(dest, 1)); 22} 23char *stpcpy(char *restrict s1, const char *restrict s2); 24char *strncpy( char * destination, const char * source, size_t num ); 25 26#define BUFSIZE 10 27 28int Buffer[BUFSIZE]; 29void bufferScanfDirect(void) 30{ 31 int n; 32 scanf("%d", &n); 33 Buffer[n] = 1; // expected-warning {{Out of bound memory access }} 34} 35 36void bufferScanfArithmetic1(int x) { 37 int n; 38 scanf("%d", &n); 39 int m = (n - 3); 40 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 41} 42 43void bufferScanfArithmetic2(int x) { 44 int n; 45 scanf("%d", &n); 46 int m = 100 / (n + 3) * x; 47 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 48} 49 50void bufferScanfAssignment(int x) { 51 int n; 52 scanf("%d", &n); 53 int m; 54 if (x > 0) { 55 m = n; 56 Buffer[m] = 1; // expected-warning {{Out of bound memory access }} 57 } 58} 59 60void scanfArg() { 61 int t; 62 scanf("%d", t); // expected-warning {{conversion specifies type 'int *' but the argument has type 'int'}} 63} 64 65void bufferGetchar(int x) { 66 int m = getchar(); 67 Buffer[m] = 1; //expected-warning {{Out of bound memory access }} 68} 69 70void testUncontrolledFormatString(char **p) { 71 char s[80]; 72 fscanf(stdin, "%s", s); 73 char buf[128]; 74 sprintf(buf,s); // expected-warning {{Uncontrolled Format String}} 75 setproctitle(s, 3); // expected-warning {{Uncontrolled Format String}} 76 77 // Test taint propagation through strcpy and family. 78 char scpy[80]; 79 strcpy(scpy, s); 80 sprintf(buf,scpy); // expected-warning {{Uncontrolled Format String}} 81 82 char spcpy[80]; 83 stpcpy(spcpy, s); 84 setproctitle(spcpy, 3); // expected-warning {{Uncontrolled Format String}} 85 86 char sncpy[80]; 87 strncpy(sncpy, s, 20); 88 setproctitle(sncpy, 3); // expected-warning {{Uncontrolled Format String}} 89} 90