|
1 | 1 | // Semmle test cases for rule CWE-497 |
2 | 2 |
|
3 | | -// library functions etc |
| 3 | +// --- library functions etc --- |
4 | 4 |
|
5 | 5 | #include "tests.h" |
6 | 6 |
|
| 7 | +typedef unsigned long size_t; |
| 8 | + |
| 9 | +void *memcpy(void *dest, const void *src, size_t count); |
7 | 10 | char *getenv(const char *name); |
8 | 11 | char *strcpy(char *s1, const char *s2); |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
| 12 | +size_t strlen(const char *s); |
13 | 13 |
|
14 | 14 |
|
15 | 15 |
|
@@ -45,7 +45,7 @@ passwd *getpwuid(int uid); |
45 | 45 |
|
46 | 46 | int val(); |
47 | 47 |
|
48 | | -// test cases |
| 48 | +// --- test cases --- |
49 | 49 |
|
50 | 50 | const char *global1 = mysql_get_client_info(); |
51 | 51 | const char *global2 = "abc"; |
@@ -112,3 +112,51 @@ void test1() |
112 | 112 | send(sock, c2.ptr, val(), val()); // GOOD: not system data |
113 | 113 | } |
114 | 114 | } |
| 115 | + |
| 116 | +struct zmq_msg_t { |
| 117 | +}; |
| 118 | +typedef void (*zmq_free_fn)(); |
| 119 | + |
| 120 | +int zmq_msg_init_data(zmq_msg_t *msg, void *data, size_t size, zmq_free_fn *ffn, void *hint); |
| 121 | +int zmq_msg_init_size(zmq_msg_t *msg, size_t size); |
| 122 | +void *zmq_msg_data(zmq_msg_t *msg); |
| 123 | +int zmq_send(void *socket, const void *buf, size_t len, int flags); |
| 124 | +int zmq_sendmsg(void *socket, zmq_msg_t *msg, int flags); // deprecated |
| 125 | +int zmq_msg_send(zmq_msg_t *msg, void *socket, int flags); |
| 126 | + |
| 127 | +void test_zmq(void *remoteSocket) |
| 128 | +{ |
| 129 | + zmq_msg_t message; |
| 130 | + char *message_data; |
| 131 | + size_t message_len; |
| 132 | + |
| 133 | + // prepare data |
| 134 | + message_data = getenv("HOME"); |
| 135 | + message_len = strlen(message_data) + 1; |
| 136 | + |
| 137 | + // send as data |
| 138 | + if (zmq_send(socket, message_data, message_len, 0) >= 0) { // BAD: outputs HOME environment variable [NOT DETECTED] |
| 139 | + // ... |
| 140 | + } |
| 141 | + |
| 142 | + // send as message |
| 143 | + if (zmq_msg_init_data(&message, message_data, message_len, 0, 0)) { |
| 144 | + if (zmq_sendmsg(remoteSocket, &message, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED] |
| 145 | + // ... |
| 146 | + } |
| 147 | + if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED] |
| 148 | + // ... |
| 149 | + } |
| 150 | + } |
| 151 | + |
| 152 | + // send as message (alternative path) |
| 153 | + if (zmq_msg_init_size(&message, message_len) == 0) { |
| 154 | + memcpy(zmq_msg_data(&message), message_data, message_len); |
| 155 | + if (zmq_sendmsg(remoteSocket,&message, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED] |
| 156 | + // ... |
| 157 | + } |
| 158 | + if (zmq_msg_send(&message, remoteSocket, message_len)) { // BAD: outputs HOME environment variable [NOT DETECTED] |
| 159 | + // ... |
| 160 | + } |
| 161 | + } |
| 162 | +} |
0 commit comments