check_strcpy_overflow.c

   1 /*
   2  * Copyright (C) 2010 Dan Carpenter.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19
  20 static void match_strcpy(const char *fn, struct expression *expr, void *unused)
  21 {
  22         struct expression *dest;
  23         struct expression *data;
  24         char *dest_name = NULL;
  25         char *data_name = NULL;
  26         int dest_size;
  27         int data_size;
  28
  29         dest = get_argument_from_call_expr(expr->args, 0);
  30         data = get_argument_from_call_expr(expr->args, 1);
  31         dest_size = get_array_size_bytes(dest);
  32         if (!dest_size)
  33                 return;
  34
  35         data_size = get_size_from_strlen(data);
  36         if (!data_size)
  37                 data_size = get_array_size_bytes(data);
  38
  39         /* If the size of both arrays is known and the destination
  40          * buffer is larger than the source buffer, we're okay.
  41          */
  42         if (data_size && dest_size >= data_size)
  43                 return;
  44
  45         dest_name = expr_to_str(dest);
  46         data_name = expr_to_str(data);
  47
  48         if (data_size)
  49                 sm_msg("error: %s() '%s' too large for '%s' (%d vs %d)",
  50                         fn, data_name, dest_name, data_size, dest_size);
  51         else if (option_spammy)
  52                 sm_msg("warn: %s() '%s' of unknown size might be too large for '%s'",
  53                         fn, data_name, dest_name);
  54
  55         free_string(dest_name);
  56         free_string(data_name);
  57 }
  58
  59 void check_strcpy_overflow(int id)
  60 {
  61         add_function_hook("strcpy", &match_strcpy, NULL);
  62 }