aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorToni <matzeton@googlemail.com>2022-05-31 16:46:44 +0200
committerGitHub <noreply@github.com>2022-05-31 16:46:44 +0200
commit00c62a7c3cbf9e6dbbdb22fcbb611f9f7cc19980 (patch)
tree3399ec3229b702c55380471c2003ff5da5a8172d
parentd8d806c79fb78233210d6416e6c34ae1414d9cf8 (diff)
Removed LGTM ql query for packet payload integer arithmetic. (#1570)
* Detection is unreliable and results in too much false-positives (and false-negatives!) Signed-off-by: lns <matzeton@googlemail.com>
-rw-r--r--.lgtm/cpp-queries/packet-payload-integer-arithmetic.ql83
-rw-r--r--Makefile.am2
2 files changed, 1 insertions, 84 deletions
diff --git a/.lgtm/cpp-queries/packet-payload-integer-arithmetic.ql b/.lgtm/cpp-queries/packet-payload-integer-arithmetic.ql
deleted file mode 100644
index 5940f602a..000000000
--- a/.lgtm/cpp-queries/packet-payload-integer-arithmetic.ql
+++ /dev/null
@@ -1,83 +0,0 @@
-/**
-* @name Suspicious packet->payload based integer arithmetic
-* @description An arithmetic operation influenced array access is suspicious
-* if it uses an integer value that is likely to be network-controlled, and
-* may require a closer manual audit.
-* @kind problem
-* @problem.severity warning
-* @id cpp/packet-payload-integer-arithmetic
-* @tags audit security
-*/
-
-import cpp
-
-import semmle.code.cpp.dataflow.TaintTracking
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
-
-/** A source of an integer value that is likely to come from the network.
- * This is produced by an invocation of a macro of the form `ntoh*` or `get_u_int*_t`,
- * called with `packet->payload` as an argument.
- */
-
-class NetworkMacro extends Macro {
- NetworkMacro() { this.getName().regexpMatch("^ntoh(ll|l|s)") }
-}
-
-class NetworkIntegerSource extends Expr {
- NetworkIntegerSource() {
- exists(MacroInvocation mi |
- this = mi.getExpr() and
- mi.getUnexpandedArgument(0).regexpMatch(".*packet->payload.*") |
- // catch all get_u_int*_t(x)
- mi.getMacroName().regexpMatch("^get_u_int(64|32|16|8)_t") and
- // dedup ntoh*(get_u_int*_t(x)) since we'll catch those in the next case
- not mi.getOutermostMacroAccess().getMacro() instanceof NetworkMacro
- or
- // catch all ntoh*(x) ... this will also catch the nested cases
- mi.getMacro() instanceof NetworkMacro
- )
- }
-}
-
-class ArithmeticOperation extends Operation {
- ArithmeticOperation() {
- this instanceof UnaryArithmeticOperation or this instanceof BinaryArithmeticOperation
- }
-}
-
-class NetworkToArrayAccess extends TaintTracking::Configuration {
- NetworkToArrayAccess() { this = "NetworkToArrayAccess" }
-
- override predicate isSource(DataFlow::Node source) {
- source.asExpr() instanceof NetworkIntegerSource
- }
-
- override predicate isSink(DataFlow::Node sink) {
- exists(ArrayExpr ae | sink.asExpr() = ae.getArrayOffset())
- }
-}
-
-class NetworkToArithmetic extends TaintTracking::Configuration {
- NetworkToArithmetic() { this = "NetworkToArithmetic" }
-
- override predicate isSource(DataFlow::Node source) {
- source.asExpr() instanceof NetworkIntegerSource
- }
-
- override predicate isSink(DataFlow::Node sink) {
- exists (Assignment assign |
- sink.asExpr() = assign.getRValue().(ArithmeticOperation) or
- sink.asExpr() = assign.(AssignArithmeticOperation)
- ) or
- exists(LocalVariable var |
- sink.asExpr() = var.getInitializer().getExpr().(ArithmeticOperation)
- )
- }
-}
-
-// find audit candidates based on suspicious network integer use
-from NetworkIntegerSource source, Expr sink1, Expr sink2, NetworkToArithmetic config1, NetworkToArrayAccess config2
-where config1.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink1))
- // or this if you want integer arithmeric _OR_ array accesses
- and config2.hasFlow(DataFlow::exprNode(source), DataFlow::exprNode(sink2))
-select source, "Suspicious use of network integer arithmetic."
diff --git a/Makefile.am b/Makefile.am
index 463c043c3..aef1c611e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -18,7 +18,7 @@ EXTRA_DIST = README.md README.nDPI README.fuzzer.md CHANGELOG.md CONTRIBUTING.md
python/DEV_GUIDE.md python/dev_requirements.txt python/ndpi_example.py python/ndpi/__init__.py \
python/ndpi/ndpi_build.py python/ndpi/ndpi.py python/README.md \
python/requirements.txt python/setup.py python/tests.py \
- sonar-project.properties .github .ci-ignore .lgtm/cpp-queries/packet-payload-integer-arithmetic.ql lgtm.yml
+ sonar-project.properties .github .ci-ignore lgtm.yml
.PHONY: doc doc-view