-
Notifications
You must be signed in to change notification settings - Fork 66
/
Copy pathoff-by-one.yaml
74 lines (74 loc) · 2.79 KB
/
off-by-one.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
rules:
- id: raptor-off-by-one
metadata:
author: Marco Ivaldi <raptor@0xdeadbeef.info>
references:
- https://cwe.mitre.org/data/definitions/193
- https://cwe.mitre.org/data/definitions/787
- https://g.co/kgs/PCHQjJ
- /~https://github.com/struct/mms
confidence: MEDIUM
# NOTE: heap-allocated buffers and some functions are not covered.
# NOTE: memcpy(dst + 1, p, len) and similar scenarios are not covered.
# NOTE: pattern {$len=snprintf(_); malloc($len);} is not covered.
# NOTE: see also cpp.strings.alloc-strlen.alloc-strlen and
# cpp.strings.missing-nul-cpp-string-memcpy.missing-nul-cpp-string-memcpy.
message: >-
The software calculates or uses an incorrect maximum or minimum value
that is 1 more, or 1 less, than the correct value.
severity: WARNING
languages:
- c
- cpp
pattern-either:
# array access
- pattern: $BUF[sizeof($BUF)] = $EXPR
- patterns:
- pattern: $BUF[$LEN] = $EXPR
- pattern-inside: |
$TYPE $BUF[$LEN];
...
$BUF[$LEN] = $EXPR;
- patterns:
- pattern: |
*($BUF + $LEN) = $EXPR
- pattern-inside: |
$TYPE $BUF[$LEN];
...
*($BUF + $LEN) = $EXPR;
# two-dimentional array access
- patterns:
- pattern: $BUF[$X][$Y] = $EXPR
- pattern-either:
- pattern-inside: |
$TYPE $BUF[$A][$Y];
...
$BUF[$X][$Y] = $EXPR;
- pattern-inside: |
$TYPE $BUF[$X][$B];
...
$BUF[$X][$Y] = $EXPR;
# suspicious loops
# - pattern: for (<... $I = $NUM ...>; <... $I <= $LEN ...>; <... $I++ ...>) ...
# - pattern: for (<... $I = $NUM ...>; <... $I <= $LEN ...>; <... ++$I ...>) ...
# <... $TYPE $I = 0 ...> is not supported by Semgrep
# - pattern: for ($TYPE $I = $NUM; <... $I <= $LEN ...>; <... $I++ ...>) ...
# - pattern: for ($TYPE $I = $NUM; <... $I <= $LEN ...>; <... ++$I ...>) ...
# - pattern: while (<... $I <= $LEN ...>) ...
# - pattern: do ... while (<... $I <= $LEN ...>);
# strlen vs. sizeof
- pattern: strlen($SRC) > sizeof($DST)
- pattern: strlen($SRC) <= sizeof($DST)
- pattern: sizeof($DST) < strlen($SRC)
- pattern: sizeof($DST) >= strlen($SRC)
# potential strncat misuse
- patterns:
- pattern: strncat($DST, $SRC, $LEN)
- metavariable-pattern:
metavariable: $LEN
patterns:
- pattern-not: $VAL - 1
# out-of-bound indexing: strlen($STR) con be 0 leading to a -1 index
- pattern: $STR[strlen($STR) - 1]
# no space allocated for NUL terminator
- pattern: malloc(strlen($STR))