Conversation
|
|
||
| override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) { | ||
| // This function may do only a partial copy of the input buffer to the output | ||
| // buffer, so it's a taint flow. |
There was a problem hiding this comment.
I will argue this is data flow. The data-flow relation describes where there may be flow, not where there must be flow. For example, there is flow in sink(x ? source() : 0);. An implementation of strndup could be written along the same lines: do a full memcpy if the result fits, otherwise do a partial memcpy and a 0-termination.
Whether something is data flow or taint is not so much a hard rule but rather a question of user expectation. For example, strcat is taint-only because the common case is to have a non-empty destination string. Conversely, memcpy with unknown size is considered data flow because the common case is to copy everything of interest.
There was a problem hiding this comment.
In that case we should change the model for strncpy as well, similarly if n is large enough it performs a straight copy.
There was a problem hiding this comment.
Done - this involved a small change in TaintTrackingUtil.qll, for data flow to a dereferenced thing.
I recently created a model for
strdupand similar functions. This is a model forstrndup, which is a bit different because it has an additional parameter, and sometimes alters the string (so we consider the flow through it to be taint rather than data flow).Towards https://jira.semmle.com/browse/CPP-466.