check_buffer_too_small_for_struct.c

   1 /*
   2  * Copyright (C) 2014 Oracle.
   3  *
   4  * This program is free software; you can redistribute it and/or
   5  * modify it under the terms of the GNU General Public License
   6  * as published by the Free Software Foundation; either version 2
   7  * of the License, or (at your option) any later version.
   8  *
   9  * This program is distributed in the hope that it will be useful,
  10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12  * GNU General Public License for more details.
  13  *
  14  * You should have received a copy of the GNU General Public License
  15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
  16  */
  17
  18 #include "smatch.h"
  19
  20 static int my_id;
  21
  22 STATE(too_small);
  23
  24 static void match_assign(struct expression *expr)
  25 {
  26         struct symbol *left_type, *right_type;
  27         struct expression *size_expr;
  28         sval_t min_size;
  29
  30         left_type = get_type(expr->left);
  31         if (!left_type || left_type->type != SYM_PTR)
  32                 return;
  33         left_type = get_real_base_type(left_type);
  34         if (!left_type || left_type->type != SYM_STRUCT)
  35                 return;
  36
  37         right_type = get_type(expr->right);
  38         if (!right_type || right_type->type != SYM_PTR)
  39                 return;
  40         right_type = get_real_base_type(right_type);
  41         if (!right_type)
  42                 return;
  43         if (right_type != &void_ctype && type_bits(right_type) != 8)
  44                 return;
  45
  46         size_expr = get_size_variable(expr->right);
  47         if (!size_expr)
  48                 return;
  49
  50         get_absolute_min(size_expr, &min_size);
  51         if (min_size.value >= type_bytes(left_type))
  52                 return;
  53
  54         set_state_expr(my_id, expr->left, &too_small);
  55 }
  56
  57 static void match_dereferences(struct expression *expr)
  58 {
  59         struct symbol *left_type;
  60         struct expression *right;
  61         struct smatch_state *state;
  62         char *name;
  63         struct expression *size_expr;
  64         sval_t min_size;
  65
  66         if (expr->type != EXPR_PREOP)
  67                 return;
  68
  69         expr = strip_expr(expr->unop);
  70         state = get_state_expr(my_id, expr);
  71         if (state != &too_small)
  72                 return;
  73
  74         left_type = get_type(expr);
  75         if (!left_type || left_type->type != SYM_PTR)
  76                 return;
  77         left_type = get_real_base_type(left_type);
  78         if (!left_type || left_type->type != SYM_STRUCT)
  79                 return;
  80
  81         right = get_assigned_expr(expr);
  82         size_expr = get_size_variable(right);
  83         if (!size_expr)
  84                 return;
  85
  86         get_absolute_min(size_expr, &min_size);
  87         if (min_size.value >= type_bytes(left_type))
  88                 return;
  89
  90         name = expr_to_str(right);
  91         sm_msg("warn: is '%s' large enough for 'struct %s'? %s", name, left_type->ident ? left_type->ident->name : "<anon>", sval_to_str(min_size));
  92         free_string(name);
  93         set_state_expr(my_id, expr, &undefined);
  94 }
  95
  96 void check_buffer_too_small_for_struct(int id)
  97 {
  98         my_id = id;
  99
 100         add_hook(&match_assign, ASSIGNMENT_HOOK);
 101         add_hook(&match_dereferences, DEREF_HOOK);
 102 }