C++: Update documentation for cpp/uncontrolled-allocation-size to clarify its scope #17211
Conversation
|
QHelp previews: cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.qhelpUncontrolled allocation sizeThis code allocates memory using a size value based on user input, with no apparent bound on its magnitude being established. This allows for arbitrary amounts of memory to be allocated. If the allocation size is calculated by multiplying user input by a RecommendationGuard all integer parameters that come from an external user. Implement a guard with the expected range for the parameter and make sure that the input value meets both the minimum and maximum requirements for this range. If the input value fails this guard then reject the request before proceeding further. If the input value passes the guard then subsequent calculations should not overflow. Exampleint factor = atoi(getenv("BRANCHING_FACTOR"));
// BAD: This can allocate too little memory if factor is very large due to overflow.
char **root_node = (char **) malloc(factor * sizeof(char *));
// GOOD: Prevent overflow and unbounded allocation size by checking the input.
if (factor > 0 && factor <= 1000) {
char **root_node = (char **) malloc(factor * sizeof(char *));
}This code shows one way to guard that an input value is within the expected range. If References
|
| @@ -40,10 +40,10 @@ int main(int argc, char **argv) { | |||
| int tainted = atoi(argv[1]); | |||
|
|
|||
| MyStruct *arr1 = (MyStruct *)malloc(sizeof(MyStruct)); // GOOD | |||
| MyStruct *arr2 = (MyStruct *)malloc(tainted); // DUBIOUS (not multiplied by anything) | |||
| MyStruct *arr2 = (MyStruct *)malloc(tainted); // BAD | |||
There was a problem hiding this comment.
Changed this comment as this unbounded allocation size is bad per the updated description of the query.
paldepind
force-pushed
the
uncontrolled-allocation-size-docs
branch
from
9d88021 to
46069af
Compare
paldepind
force-pushed
the
uncontrolled-allocation-size-docs
branch
from
46069af to
5e8ac5e
Compare
|
Good idea, I missed that. I've updated the query message now as well 😄 |
There was a problem hiding this comment.
Looks good to me.
If you add the ready-for-doc-review label, the docs team will check over your .qhelp and query metadata changes.
You should also add the no-change-note-required tag, which will inform CI that you've considered the changes and don't think they require a change note (unless you do, in which case see this doc and it goes here; roughly speaking, any change that affects query results or the way external developers would write queries of their own should have a change note).
paldepind
added
no-change-note-required
There was a problem hiding this comment.
Looks great, thank you—only some nit comments. Assuming you're happy with the suggestions, feel free to go ahead and merge once you've got an approval from your team (there's no need for me to approve again)
Apologies also if the suggestions mess up some formatting
| <p>This code allocates memory using a size value based on user input | ||
| with no apparent bound on its magnitude being established. This allows | ||
| for arbitrary amounts of memory being allocated.</p> |
There was a problem hiding this comment.
| <p>This code allocates memory using a size value based on user input | |
| with no apparent bound on its magnitude being established. This allows | |
| for arbitrary amounts of memory being allocated.</p> | |
| <p>This code allocates memory using a size value based on user input, with no apparent bound on its magnitude being established. This allows for arbitrary amounts of memory to be allocated.</p> |
| <p>If the allocation size is calculated by multiplying user input by a | ||
| <code>sizeof</code> expression the multiplication can overflow. When | ||
| an integer multiplication overflows in C, the result wraps around and | ||
| can be much smaller than intended. A later attempt to write data into | ||
| the allocated memory can then be out-of-bounds.</p> |
There was a problem hiding this comment.
| <p>If the allocation size is calculated by multiplying user input by a | |
| <code>sizeof</code> expression the multiplication can overflow. When | |
| an integer multiplication overflows in C, the result wraps around and | |
| can be much smaller than intended. A later attempt to write data into | |
| the allocated memory can then be out-of-bounds.</p> | |
| <p>If the allocation size is calculated by multiplying user input by a | |
| <code>sizeof</code> expression, the multiplication can overflow. When | |
| an integer multiplication overflows in C, the result wraps around and | |
| can be much smaller than intended. A later attempt to write data into | |
| the allocated memory can then be out of bounds.</p> |
|
Thanks @subatoi. I've applied the suggested changes. |
paldepind
added
the
depends on internal PR
Change the documentation of the
cpp/uncontrolled-allocation-sizequery to clarify its intended behavior/scope.#11215