-
Notifications
You must be signed in to change notification settings - Fork 0
/
10_taint_tracking.ql
57 lines (47 loc) · 1.67 KB
/
10_taint_tracking.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
/*
Question 2.1: Create the configuration class, by defining the source and sink.
The source should be calls to ntohl, ntohll, or ntohs.
The sink should be the size argument of an unsafe call to memcpy.
Hint: The source should be an instance of the class you wrote in part 2.0.
Hint: The sink should be the size argument of calls to memcpy.
*/
/**
* @kind path-problem
*/
import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph
class NetworkByteSwap extends Expr {
// 2.0 Todo
NetworkByteSwap() { // characteristic predicate
exists(MacroInvocation mi |
mi.getMacro().getName().regexpMatch("ntoh(ll|l|s)") and
this = mi.getExpr()
)
}
}
class Config extends TaintTracking::Configuration {
Config() { this = "NetworkToMemFuncLength" }
override predicate isSource(DataFlow::Node source) {
// 2.1 Todo
// The source should be calls to ntohl, ntohll, or ntohs.
// The source should be an instance of the class you wrote in part 2.0.
// exists(MacroExpression me |
// source.asExpr() = me
// )
// use instanceof instead of above
source.asExpr() instanceof NetworkByteSwap
}
override predicate isSink(DataFlow::Node sink) {
// 2.1 Todo
// The sink should be the size argument of an unsafe call to memcpy.
// The sink should be the size argument of calls to memcpy.
exists(FunctionCall fc |
fc.getTarget().getName() = "memcpy" and
sink.asExpr() = fc.getArgument(2)
)
} // was missing from boilerplate
}
from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "ntoh flows to memcpy"