check_buffer_too_small_for_struct.c

   1 /*
   2  * Copyright (C) 2014 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19
  20 static int my_id;
  21
  22 STATE(too_small);
  23
  24 static void match_assign(struct expression *expr)
  25 {
  26         struct symbol *left_type, *right_type;
  27         struct expression *size_expr;
  28         sval_t min_size;
  29         int limit_type;
  30         int bytes;
  31
  32         left_type = get_type(expr->left);
  33         if (!left_type || left_type->type != SYM_PTR)
  34                 return;
  35         left_type = get_real_base_type(left_type);
  36         if (!left_type || left_type->type != SYM_STRUCT)
  37                 return;
  38
  39         right_type = get_type(expr->right);
  40         if (!right_type || right_type->type != SYM_PTR)
  41                 return;
  42         right_type = get_real_base_type(right_type);
  43         if (!right_type)
  44                 return;
  45         if (right_type != &void_ctype && type_bits(right_type) != 8)
  46                 return;
  47
  48         bytes = get_array_size_bytes(expr->right);
  49         if (bytes >= type_bytes(left_type))
  50                 return;
  51
  52         size_expr = get_size_variable(expr->right, &limit_type);
  53         if (!size_expr)
  54                 return;
  55         if (limit_type != ELEM_COUNT)
  56                 return;
  57
  58         get_absolute_min(size_expr, &min_size);
  59         if (min_size.value >= type_bytes(left_type))
  60                 return;
  61
  62         set_state_expr(my_id, expr->left, &too_small);
  63 }
  64
  65 static void match_dereferences(struct expression *expr)
  66 {
  67         struct symbol *left_type;
  68         struct expression *right;
  69         struct smatch_state *state;
  70         char *name;
  71         struct expression *size_expr;
  72         sval_t min_size;
  73         int limit_type;
  74
  75         if (expr->type != EXPR_PREOP)
  76                 return;
  77
  78         expr = strip_expr(expr->unop);
  79         state = get_state_expr(my_id, expr);
  80         if (state != &too_small)
  81                 return;
  82
  83         left_type = get_type(expr);
  84         if (!left_type || left_type->type != SYM_PTR)
  85                 return;
  86         left_type = get_real_base_type(left_type);
  87         if (!left_type || left_type->type != SYM_STRUCT)
  88                 return;
  89
  90         right = get_assigned_expr(expr);
  91         size_expr = get_size_variable(right, &limit_type);
  92         if (!size_expr)
  93                 return;
  94         if (limit_type != ELEM_COUNT)
  95                 return;
  96
  97         get_absolute_min(size_expr, &min_size);
  98         if (min_size.value >= type_bytes(left_type))
  99                 return;
 100
 101         name = expr_to_str(right);
 102         sm_warning("is '%s' large enough for 'struct %s'? %s", name, left_type->ident ? left_type->ident->name : "<anon>", sval_to_str(min_size));
 103         free_string(name);
 104         set_state_expr(my_id, expr, &undefined);
 105 }
 106
 107 void check_buffer_too_small_for_struct(int id)
 108 {
 109         my_id = id;
 110
 111         add_hook(&match_assign, ASSIGNMENT_HOOK);
 112         add_hook(&match_dereferences, DEREF_HOOK);
 113 }