CPP: Add query for CWE-670: Always-Incorrect Control Flow Implementation when use SSL_shutdown #9087
Conversation
cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.qhelp
Show resolved
Hide resolved
cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.cpp
Show resolved
Hide resolved
| fc.getASuccessor+() = fc1 and | ||
| fc.getTarget().hasName("SSL_shutdown") and | ||
| fc1.getTarget().hasName("SSL_shutdown") and | ||
| fc1 instanceof ExprInVoidContext and |
There was a problem hiding this comment.
I understand that we're looking for two calls to SSL_Shutdown on the same SSL object (without a call to SSL_Free in between), where the return value of the second call is not checked. Why is it OK for the return value of the first call to be unchecked but not the second?
There was a problem hiding this comment.
You are absolutely right, the first check also needs to be checked.
- I want to avoid situations with only one call.
- It seems to me that when the first call check is skipped, and the second one is checked, this is a very rare case.
but if you find grain in it, I will add this detector.
There was a problem hiding this comment.
I want to avoid situations with only one call.
Are they problematic? Is it sometimes OK for the developer to ignore the return value of SSL_shutdown in these simpler cases?
There was a problem hiding this comment.
I am sure that you should always check the return value of this function. however, we are talking about the problem of ambiguous understanding of states on the part of the server and the client, in this case, the presence of one call indicates that the developer does not consider this a problem.
the addition of this detection, in my opinion, will lead to an increase in hits and will correlate with the situation in these PRs 6950 6947.
There was a problem hiding this comment.
I see, checking for an error on the first call to SSL_shutdown suggests that the program needs to handle the error to behave correctly, so an error on the second SSL_shutdown should be handled as well. But its also possible the program doesn't need to handle any errors (perhaps its about to exit anyway), so you're reluctant to catch the case of a single call to SSL_shutdown with no error handling.
|
A run of this query on LGTM: https://lgtm.com/query/1680253232874044114/ |
|
|
could you show me what kind of errors are generated during checks. |
|
Great, that's three real world results between our two LGTM runs! Running the checks now... |
cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
Outdated
Show resolved
Hide resolved
…hutdown.ql Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
|
I'm happy with this, when the checks pass. And I believe it would have caught the issue described in https://redmine.lighttpd.net/issues/285#comment:18 . |
this is a very interesting point. I really like this item in the description, but I'm afraid that it will complicate the query very much, and narrow the detection very much. |
|
if you still think it's reasonable, I am ready to agree with you. let's just talk about what you mean
|
|
I'm not advising any changes at this time, I'm just trying to better understand why the query works the way it does. I think I'm happy with the QL and the real world (lgtm.com) results we have seen so far. |
thanks |
|
What do I need to do for this PR? |
|
I believe the bug bounty process concluded that this PR is not eligible for a bounty award. I'm happy to accept the code into experimental, with that understanding. |
|
despite the bounty decision, I still find the request useful. |
|
Great, thanks for your contribution! |
this query looks for improperly closed connections.
CVE-2008-1531
when the situations of calling the second function to close are not processed.