-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Allow "badly bounded" writes to a size 0 buffer #224
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm happy with this solution. It reminds me of the memberMayBeVarSize
mechanism from Buffer.qll
, which will catch arrays of size 0 or 1 at the end of a struct - but not arrays of size 0 elsewhere in the struct as in the case you've linked to. It's actually quite a strange case and I won't pretend to understand why they chose to do it that way.
@@ -21,4 +21,5 @@ from BufferWrite bw, int destSize | |||
where bw.hasExplicitLimit() // has an explicit size limit | |||
and destSize = getBufferSize(bw.getDest(), _) | |||
and (bw.getExplicitLimit() > destSize) // but it's larger than the destination | |||
and not destSize = 0 // probably just a hack if the destination size is 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rephrase 'hack' to something more neutral / informative? Perhaps 'likely to be a variable-sized member or similar pattern'.
I'm going to fix the issues and make a fresh PR of this, assuming nobody's already done so. |
Sorry; I've been a bit busy moving back into Oxford. I'll do that now. |
I've now opened #293 which includes and extends this work. |
Thanks! |
ah, ok, cool! |
rb/sql-injection: fix FPs stemming from not accounting for overridden methods
…odos Log when a class version can't be read
Co-authored-by: Denis Levin <denisl@microsoft.com>
This probably means this is a hack to do something like set a bunch of struct fields at once. See: https://lgtm.com/projects/g/CZ-NIC/bird/snapshot/9ba0b39e4c4756944718ab9cb55efd5824527a4b/files/proto/rip/packets.c#x17ea4190ce37e101:1.
@geoffw0