Allow "badly bounded" writes to a size 0 buffer #224
Conversation
There was a problem hiding this comment.
I'm happy with this solution. It reminds me of the memberMayBeVarSize mechanism from Buffer.qll, which will catch arrays of size 0 or 1 at the end of a struct - but not arrays of size 0 elsewhere in the struct as in the case you've linked to. It's actually quite a strange case and I won't pretend to understand why they chose to do it that way.
| @@ -21,4 +21,5 @@ from BufferWrite bw, int destSize | |||
| where bw.hasExplicitLimit() // has an explicit size limit | |||
| and destSize = getBufferSize(bw.getDest(), _) | |||
| and (bw.getExplicitLimit() > destSize) // but it's larger than the destination | |||
| and not destSize = 0 // probably just a hack if the destination size is 0 | |||
There was a problem hiding this comment.
Can we rephrase 'hack' to something more neutral / informative? Perhaps 'likely to be a variable-sized member or similar pattern'.
|
I'm going to fix the issues and make a fresh PR of this, assuming nobody's already done so. |
|
Sorry; I've been a bit busy moving back into Oxford. I'll do that now. |
|
I've now opened #293 which includes and extends this work. |
|
Thanks! |
|
ah, ok, cool! |
rb/sql-injection: fix FPs stemming from not accounting for overridden methods
…odos Log when a class version can't be read
Co-authored-by: Denis Levin <denisl@microsoft.com>
This probably means this is a hack to do something like set a bunch of struct fields at once. See: https://lgtm.com/projects/g/CZ-NIC/bird/snapshot/9ba0b39e4c4756944718ab9cb55efd5824527a4b/files/proto/rip/packets.c#x17ea4190ce37e101:1.
@geoffw0