Skip to content

how to filter out this situation? #19838

New issue
New issue
Open
Open
how to filter out this situation?#19838
Labels
questionFurther information is requested
@Ret2c7

Description

@Ret2c7
Ret2c7
opened on Jun 21, 2025

Hi, I have been learning to use CodeQL recently. I was trying to find all expressions that reach the len parameter of memcpy, and in the results, there is a case like the following.

attr->val.octets = _malloc(attr->length);
if (!attr->val.octets)
	goto out_err_mem;
memcpy(attr->val.octets, orig_avp_val, attr->length);

In this part, the len parameter of memcpy is exactly the same as the parameter of _malloc, which I consider to be safe. Therefore, I would like to exclude this situation. However, first, I want to identify this pattern, so I have written the following code.

import cpp
import semmle.code.cpp.dataflow.new.DataFlow
import semmle.code.cpp.dataflow.new.TaintTracking

// class MallocSize extends Expr {
//     MallocSize() {
//         exists(FunctionCall fc |
//             fc.getTarget().hasName("malloc") and
//             this = fc.getArgument(0)
//         )
//     }
// }

module RecvToMemcpyConfig implements DataFlow::ConfigSig {
    predicate isSource(DataFlow::Node source) {
        exists(Expr e | source.asExpr() = e 
            and not e.isConstant()
        )
    }

    predicate isSink(DataFlow::Node sink) {
        exists(FunctionCall fc, FunctionCall mc | 
            fc.getTarget().hasName("memcpy") and mc.getTarget().hasName("malloc")
            and sink.asExpr() = fc.getArgument(2)
            and fc.getArgument(2) = mc.getArgument(0)
        )
        and not sink.asExpr().isConstant()
    }
}

module RecvToMemcpyFlow = TaintTracking::Global<RecvToMemcpyConfig>;

from RecvToMemcpyFlow::PathNode source, RecvToMemcpyFlow::PathNode sink
where RecvToMemcpyFlow::flowPath(source, sink)
select 
    source, 
    sink, 
    sink.getNode().getFunction().getFile(), 
    source.getNode().getFunction().getFile()

Although I think this code may not handle the following situation, I believe it should be able to handle the case where the size parameter of malloc and the len parameter of memcpy are exactly the same, meaning when the expressions are an exact match.

b = _malloc(sizeof(*b) + size);
b->size = size;
memcpy(b->buf, buf, size);

But the result returns 0 results.

I also tried other approaches, but none of them met my expectations. How should I correctly handle this situation?

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions