Merge pull request #18 from khanhnt2/step-10

step 10
khanhnt2 · Apr 15, 2020 · 2f2d520 · 2f2d520 · github-actions · Apr 15, 2020
2 parents 221af12 + 5a3b11e
commit 2f2d520
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/10_taint_tracking.ql b/10_taint_tracking.ql
@@ -1 +1,34 @@
+/**
+* @kind path-problem
+*/
 
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+class NetworkByteSwap extends Expr {
+  NetworkByteSwap () {
+    exists(MacroInvocation invocation
+            | invocation.getMacro().getName().regexpMatch("ntoh.*")
+            | this = invocation.getExpr()
+    )
+  }
+}
+
+class Config extends TaintTracking::Configuration {
+  Config() { this = "NetworkToMemFuncLength" }
+
+  override predicate isSource(DataFlow::Node source) {
+      source.asExpr() instanceof NetworkByteSwap
+  }
+  override predicate isSink(DataFlow::Node sink) {
+      exists(FunctionCall call
+      | sink.asExpr() = call.getArgument(2)
+      | call.getTarget().getName() = "memcpy"
+      )
+  }
+}
+
+from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink, source, sink, "Network byte swap flows to memcpy"