Semmle 1.21
Skip to end of metadata
Go to start of metadata

Name: Suspicious add with sizeof

Description: Explicitly scaled pointer arithmetic expressions can cause buffer overflow conditions if the offset is also implicitly scaled.

ID: cpp/suspicious-add-sizeof

Kind: problem

Severity: warning

Precision: high

Query: SuspiciousAddWithSizeof.ql
/**
 * @name Suspicious add with sizeof
 * @description Explicitly scaled pointer arithmetic expressions
 *              can cause buffer overflow conditions if the offset is also
 *              implicitly scaled.
 * @kind problem
 * @problem.severity warning
 * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
 *       external/cwe/cwe-468
 */
import cpp
import IncorrectPointerScalingCommon

private predicate isCharSzPtrExpr(Expr e) {
  exists (PointerType pt
  | pt = e.getFullyConverted().getUnspecifiedType()
  | pt.getBaseType() instanceof CharType
  or pt.getBaseType() instanceof VoidType)
}

from Expr sizeofExpr, Expr e
where
  // If we see an addWithSizeof then we expect the type of
  // the pointer expression to be char* or void*. Otherwise it
  // is probably a mistake.
  addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e)
select
  sizeofExpr,
  "Suspicious sizeof offset in a pointer arithmetic expression. " +
  "The type of the pointer is " +
  e.getFullyConverted().getType().toString() + "."

Pointer arithmetic in C and C++ is automatically scaled according to the size of the data type. For example, if the type of p is T* and sizeof(T) == 4 then the expression p+1 adds 4 bytes to p.

This query finds code of the form p + k*sizeof(T). Such code is usually a mistake because there is no need to manually scale the offset by sizeof(T).

Recommendation
  1. Whenever possible, use the array subscript operator rather than pointer arithmetic. For example, replace *(p+k) with p[k].
  2. Cast to the correct type before using pointer arithmetic. For example, if the type of p is char* but it really points to an array of type double[] then use the syntax (double*)p + k to get a pointer to the k'th element of the array.
Example

int example1(int i) {
  int intArray[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
  int *intPointer = intArray;
  // BAD: the offset is already automatically scaled by sizeof(int),
  // so this code will compute the wrong offset.
  return *(intPointer + (i * sizeof(int)));
}

int example2(int i) {
  int intArray[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10 };
  int *intPointer = intArray;
  // GOOD: the offset is automatically scaled by sizeof(int).
  return *(intPointer + i);
}

References
  • Common Weakness Enumeration: CWE-468.