Add sample solutions

solutions/10_taint_tracking.ql

@@ -0,0 +1,30 @@
+import cpp
+import semmle.code.cpp.dataflow.TaintTracking
+import DataFlow::PathGraph
+
+/**
+ * An expression involved when swapping the byte order of network data.
+ * Its value is likely to have been read from the network.
+ */
+class NetworkByteSwap extends Expr {
+  NetworkByteSwap() {
+    exists(MacroInvocation mi |
+      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and
+      this = mi.getExpr()
+    )
+  }
+}
+
+class Config extends TaintTracking::Configuration {
+  Config() { this = "Config: this name doesn't matter" }
+
+  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NetworkByteSwap }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(FunctionCall c | c.getTarget().getName() = "memcpy" and sink.asExpr() = c.getArgument(2))
+  }
+}
+
+from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
+where cfg.hasFlowPath(source, sink)
+select sink, source, sink, "Network byte swap flows to memcpy"

solutions/3_function_definitions.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Function f
+where f.getName() = "strlen"
+select f, "a function named strlen"

solutions/4_memcpy_definitions.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Function f
+where f.getName() = "memcpy"
+select f, "a function named memcpy"

solutions/5_macro_definitions.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from Macro m
+where m.getName().regexpMatch("ntoh(s|l|ll)")
+select m

solutions/6_memcpy_calls.ql

@@ -0,0 +1,11 @@
+import cpp
+
+// Version with two variables
+// from Function f, FunctionCall c
+// where c.getTarget() = f and f.getName() = "memcpy"
+// select c, f
+
+// More compact version with the Function variable implicit
+from FunctionCall c
+where c.getTarget().getName() = "memcpy"
+select c

solutions/7_macro_invocations.ql

@@ -0,0 +1,13 @@
+import cpp
+
+// Version with two variables
+// from Macro m, MacroInvocation mi
+// where
+//   m.getName().regexpMatch("ntoh(s|l|ll)") and
+//   mi.getMacro() = m
+// select mi, m
+
+// More compact version with the Macro variable implicit
+from MacroInvocation mi
+where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")
+select mi

solutions/8_macro_expressions.ql

@@ -0,0 +1,5 @@
+import cpp
+
+from MacroInvocation mi
+where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")
+select mi.getExpr()

solutions/9_class_network_byteswap.ql

@@ -0,0 +1,17 @@
+import cpp
+
+/**
+ * An expression involved when swapping the byte order of network data.
+ * Its value is likely to have been read from the network.
+ */
+class NetworkByteSwap extends Expr {
+  NetworkByteSwap() {
+    exists(MacroInvocation mi |
+      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and
+      this = mi.getExpr()
+    )
+  }
+}
+
+from NetworkByteSwap n
+select n

solutions/README.md

@@ -0,0 +1,8 @@
+# CodeQL U-Boot challenge (C/C++): sample solutions
+
+This folder contains sample solutions for each step of the course.
+They are there to help you if you get stuck, but please try to solve the tasks on your own first using the course hints, editor auto-completion, and documentation!
+
+There are often many ways to write the same CodeQL query. These solutions are just examples, and you may come up with other good ways to solve the same tasks.
+
+Happy query writing!