C++: Implement models for poll, accept and select #5217
Conversation
| readfds.fd_count = 1; | ||
| readfds.fd_array[0] = source(); | ||
| select(2, &readfds, nullptr, nullptr, &timeout); | ||
| sink(&readfds); // $ ast MISSING: ir |
There was a problem hiding this comment.
Please could you talk me through what's going on with taint in the poll and select examples?
There was a problem hiding this comment.
Sure. In the poll case, we taint the file descriptor, and poll wait for some I/O event, and then fill the revents field with the returned event.
In the select case, we taint a file descriptor in readfds. It looks like this is normally done using the FD_SET function which we haven't modeled yet. The call to select then taints the readfds structure, which we can then use to propagate taint to other FD_ functions.
Thinking about this taint flow again, I'm actually not sure we want taint to propagate taint to the entire object returned by these functions.
There was a problem hiding this comment.
f908d2f removes the taint from these functions.
MathiasVP
force-pushed
the
model-bsd-sockets-part-3
branch
from
50dd0c9 to
f908d2f
Compare
|
LGTM, though I wouldn't mind a second opinion about taint through |
Final part of https://github.com/github/codeql-c-analysis-team/issues/209 for this iteration.
These are slightly more awkward to model since it's most natural to model some of the flow to the file-descriptor argument, but since these are passed by value (because its value isn't actually changed) they don't have an "output" value after the function returns.