taint-tester.c revision 5fc7def35ee858791e591d005b4ae343632ca931
1// RUN: %clang_cc1 -analyze -analyzer-checker=experimental.security.taint,debug.TaintTest -verify %s 2 3int scanf(const char *restrict format, ...); 4int getchar(void); 5 6#define BUFSIZE 10 7int Buffer[BUFSIZE]; 8 9struct XYStruct { 10 int x; 11 int y; 12 char z; 13}; 14 15void taintTracking(int x) { 16 int n; 17 int *addr = &Buffer[0]; 18 scanf("%d", &n); 19 addr += n;// expected-warning 2 {{tainted}} 20 *addr = n; // expected-warning 3 {{tainted}} 21 22 double tdiv = n / 30; // expected-warning 3 {{tainted}} 23 char *loc_cast = (char *) n; // expected-warning {{tainted}} 24 char tinc = tdiv++; // expected-warning {{tainted}} 25 int tincdec = (char)tinc--; // expected-warning 2 {{tainted}} 26 27 // Tainted ptr arithmetic/array element address. 28 int tprtarithmetic1 = *(addr+1); // expected-warning 2 {{tainted}} 29 30 // Dereference. 31 int *ptr; 32 scanf("%p", &ptr); 33 int ptrDeref = *ptr; // expected-warning 2 {{tainted}} 34 int _ptrDeref = ptrDeref + 13; // expected-warning 2 {{tainted}} 35 36 // Pointer arithmetic + dereferencing. 37 // FIXME: We fail to propagate the taint here because RegionStore does not 38 // handle ElementRegions with symbolic indexes. 39 int addrDeref = *addr; // expected-warning {{tainted}} 40 int _addrDeref = addrDeref; 41 42 // Tainted struct address, casts. 43 struct XYStruct *xyPtr = 0; 44 scanf("%p", &xyPtr); 45 void *tXYStructPtr = xyPtr; // expected-warning 2 {{tainted}} 46 struct XYStruct *xyPtrCopy = tXYStructPtr; // expected-warning 2 {{tainted}} 47 int ptrtx = xyPtr->x;// expected-warning 2 {{tainted}} 48 int ptrty = xyPtr->y;// expected-warning 2 {{tainted}} 49 50 // Taint on fields of a struct. 51 struct XYStruct xy = {2, 3, 11}; 52 scanf("%f", &xy.y); 53 scanf("%f", &xy.x); 54 int tx = xy.x; // expected-warning {{tainted}} 55 int ty = xy.y; // FIXME: This should be tainted as well. 56 char ntz = xy.z;// no warning 57} 58