Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create rule S7128: "strlen" should not be called on incremented pointers (CPP-5660) #4420

Draft
wants to merge 6 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions rules/S7128/cfamily/metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
{
"title": "\"strlen\" should not be called on incremented pointer",
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
"type": "CODE_SMELL",
"status": "ready",
"remediation": {
"func": "Constant\/Issue",
"constantCost": "5min"
},
"tags": [
],
"defaultSeverity": "Minor",
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
"ruleSpecification": "RSPEC-7128",
"sqKey": "S7128",
"scope": "All",
"defaultQualityProfiles": ["Sonar way"],
"quickfix": "infeasible",
"code": {
"impacts": {
"RELIABILITY": "MEDIUM",
"SECURITY": "LOW"
},
"attribute": "CLEAR"
}
}
72 changes: 72 additions & 0 deletions rules/S7128/cfamily/rule.adoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
This rule raises the issue of calls `strlen(ptr + 1)`, for which the intent is unclear.
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved

== Why is this an issue?

The call `strlen(ptr) + 1` is commonly used to compute the memory required to copy a string:
the one is needed to allocate space for a null-terminator.
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved

The very similar call `strlen(ptr + 1)` that differs by placement of the right parenthesis,
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
produces vastly different results:

* non-empty string computes the length of string without the first character (reduced by one)
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
* if the string is empty, traverse memory after it until the null terminator (`'\0'`) is found.
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved

The latter may lead to undefined behavior.

Due above, the `strlen(ptr + 1)` calls are likely to be unintended
and result from the type. This rule raises issues on such calls.
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved

=== Code examples

==== Noncompliant code example

[source,c]
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
----
size_t size = strlen(ptr + 1); // Noncompliant
----

==== Compliant solution

If the use of `strlen(ptr + 1)` was an typo:

[source,c]
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
----
size_t size = strlen(ptr) + 1; // Compliant
----

In case when the `strlen(ptr + 1)` was intentional, to preserve the same behavior, you may increment the pointer before the call.
frederic-tingaud-sonarsource marked this conversation as resolved.
Show resolved Hide resolved

[source,c]
----
char const* next = ptr + 1;
size_t size = strlen(next); // Compliant
----

This will convey the intent more clearly and avoid any uncertainty regarding the intent.

=== What is the potential impact?

If `strlen(ptr + 1)` is accidentally used instead of `strlen(ptr) + 1`, it may have a wide range of effects.
For example, it can lead to buffer overflow if the operation was used to compute the required memory:

[source,c]
----
char* duplicate(char const* source) {
char result = (char*)malloc(strlen(source + 1)); // Should be malloc(strlen(source) + 1))
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
strcpy(result, source); // Writes two characters outside of "result" buffer
return result;
}
----

Buffer overflow, as other undefined behavior, has a wide range of effects.
tomasz-kaminski-sonarsource marked this conversation as resolved.
Show resolved Hide resolved
In many cases, the access works by accident and succeeds at writing or reading a value.
However, it can start misbehaving at any time.
If compilation flags, compiler, platform, or runtime environment change,
the same code can crash the application, corrupt memory, or leak a secret.

=== Going extra mile.

{cpp} offers `std::string`, `std::string_view` and many other functions simplifying operating on strings.
When possible, higher-level features should be preferred over C-string APIs.


2 changes: 2 additions & 0 deletions rules/S7128/metadata.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
{
}
Loading