diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c new file mode 100644 index 000000000000..f60542268482 --- /dev/null +++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.c @@ -0,0 +1,11 @@ +unsigned long sizeArray; + +// BAD: let's consider several values, taking ULONG_MAX =18446744073709551615 +// sizeArray = 60; (sizeArray - 10) = 50; true +// sizeArray = 10; (sizeArray - 10) = 0; false +// sizeArray = 1; (sizeArray - 10) = 18446744073709551607; true +// sizeArray = 0; (sizeArray - 10) = 18446744073709551606; true +if (sizeArray - 10 > 0) + +// GOOD: Prevent overflow by checking the input +if (sizeArray > 10) diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp new file mode 100644 index 000000000000..3bf28d13df40 --- /dev/null +++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.qhelp @@ -0,0 +1,33 @@ + + + +

The code compares the unsigned difference with zero. +It is highly probable that the condition is wrong if the difference expression has the unsigned type. +The condition holds in all the cases when difference is not equal to zero. +It means that we may use condition not equal. But the programmer probably wanted to compare the difference of elements.

+ +

False positives include code in which the first difference element is always greater than or equal to the second. +For comparison, ">" such conditions are equivalent to "! =", And are recommended for replacement. +For comparison "> =", the conditions are always true and are recommended to be excluded.

+ + + + +

Use a simple comparison of two elements, instead of comparing their difference to zero.

+ + + +

The following example demonstrates an erroneous and corrected use of comparison.

+ + + + + +
  • CERT C Coding Standard: +INT02-C. Understand integer conversion rules. +
    • + +     +     diff --git a/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql new file mode 100644 index 000000000000..300b2f944b5b --- /dev/null +++ b/cpp/ql/src/experimental/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql @@ -0,0 +1,23 @@ +/** + * @name Unsigned difference expression compared to zero + * @description It is highly probable that the condition is wrong if the difference expression has the unsigned type. + * The condition holds in all the cases when difference is not equal to zero. It means that we may use condition not equal. + * But the programmer probably wanted to compare the difference of elements. + * @kind problem + * @id cpp/unsigned-difference-expression-compared-zero + * @problem.severity warning + * @precision medium + * @tags security + * external/cwe/cwe-191 + */ + +import cpp +import semmle.code.cpp.commons.Exclusions + +from RelationalOperation ro, SubExpr sub +where + not isFromMacroDefinition(ro) and + ro.getLesserOperand().getValue().toInt() = 0 and + ro.getGreaterOperand() = sub and + sub.getFullyConverted().getUnspecifiedType().(IntegralType).isUnsigned() +select ro, "Difference in condition is always greater than or equal to zero"