1 /*
2  * Copyright (C) 2013 Oracle.
3  *
4  * This program is free software; you can redistribute it and/or
5  * modify it under the terms of the GNU General Public License
6  * as published by the Free Software Foundation; either version 2
7  * of the License, or (at your option) any later version.
8  *
9  * This program is distributed in the hope that it will be useful,
10  * but WITHOUT ANY WARRANTY; without even the implied warranty of
11  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12  * GNU General Public License for more details.
13  *
14  * You should have received a copy of the GNU General Public License
15  * along with this program; if not, see http://www.gnu.org/copyleft/gpl.txt
16  */
17 
18 #include <stdlib.h>
19 #include <errno.h>
20 #include "parse.h"
21 #include "smatch.h"
22 #include "smatch_slist.h"
23 #include "smatch_extra.h"
24 
25 #define UNKNOWN_SIZE (-1)
26 
27 static int my_strlen_id;
28 /*
29  * The trick with the my_equiv_id is that if we have:
30  * foo = strlen(bar);
31  * We don't know at that point what the strlen() is but we know it's equivalent
32  * to "foo" so maybe we can find the value of "foo" later.
33  */
34 static int my_equiv_id;
35 
36 static struct smatch_state *size_to_estate(int size)
37 {
38 	sval_t sval;
39 
40 	sval.type = &int_ctype;
41 	sval.value = size;
42 
43 	return alloc_estate_sval(sval);
44 }
45 
46 static struct smatch_state *unmatched_strlen_state(struct sm_state *sm)
47 {
48 	return size_to_estate(UNKNOWN_SIZE);
49 }
50 
51 static void set_strlen_undefined(struct sm_state *sm, struct expression *mod_expr)
52 {
53 	set_state(sm->owner, sm->name, sm->sym, size_to_estate(UNKNOWN_SIZE));
54 }
55 
56 static void set_strlen_equiv_undefined(struct sm_state *sm, struct expression *mod_expr)
57 {
58 	set_state(sm->owner, sm->name, sm->sym, &undefined);
59 }
60 
61 static void match_string_assignment(struct expression *expr)
62 {
63 	struct range_list *rl;
64 
65 	if (expr->op != '=')
66 		return;
67 	if (!get_implied_strlen(expr->right, &rl))
68 		return;
69 	set_state_expr(my_strlen_id, expr->left, alloc_estate_rl(clone_rl(rl)));
70 }
71 
72 static void match_strlen(const char *fn, struct expression *expr, void *unused)
73 {
74 	struct expression *right;
75 	struct expression *str;
76 	struct expression *len_expr;
77 	char *len_name;
78 	struct smatch_state *state;
79 
80 	right = strip_expr(expr->right);
81 	str = get_argument_from_call_expr(right->args, 0);
82 	len_expr = strip_expr(expr->left);
83 
84 	len_name = expr_to_var(len_expr);
85 	if (!len_name)
86 		return;
87 
88 	state = __alloc_smatch_state(0);
89         state->name = len_name;
90 	state->data = len_expr;
91 
92 	set_state_expr(my_equiv_id, str, state);
93 }
94 
95 static void match_strlen_condition(struct expression *expr)
96 {
97 	struct expression *left;
98 	struct expression *right;
99 	struct expression *str = NULL;
100 	int strlen_left = 0;
101 	int strlen_right = 0;
102 	sval_t sval;
103 	struct smatch_state *true_state = NULL;
104 	struct smatch_state *false_state = NULL;
105 	int op;
106 
107 	if (expr->type != EXPR_COMPARE)
108 		return;
109 
110 	left = strip_expr(expr->left);
111 	right = strip_expr(expr->right);
112 
113 	if (left->type == EXPR_CALL && sym_name_is("strlen", left->fn)) {
114 		str = get_argument_from_call_expr(left->args, 0);
115 		strlen_left = 1;
116 	}
117 	if (right->type == EXPR_CALL && sym_name_is("strlen", right->fn)) {
118 		str = get_argument_from_call_expr(right->args, 0);
119 		strlen_right = 1;
120 	}
121 
122 	if (!strlen_left && !strlen_right)
123 		return;
124 	if (strlen_left && strlen_right)
125 		return;
126 
127 	op = expr->op;
128 	if (strlen_left) {
129 		if (!get_value(right, &sval))
130 			return;
131 	} else {
132 		op = flip_comparison(op);
133 		if (!get_value(left, &sval))
134 			return;
135 	}
136 
137 	switch (op) {
138 	case '<':
139 	case SPECIAL_UNSIGNED_LT:
140 		true_state = size_to_estate(sval.value - 1);
141 		break;
142 	case SPECIAL_LTE:
143 	case SPECIAL_UNSIGNED_LTE:
144 		true_state = size_to_estate(sval.value);
145 		break;
146 	case SPECIAL_EQUAL:
147 		true_state = size_to_estate(sval.value);
148 		break;
149 	case SPECIAL_NOTEQUAL:
150 		false_state = size_to_estate(sval.value);
151 		break;
152 	case SPECIAL_GTE:
153 	case SPECIAL_UNSIGNED_GTE:
154 		false_state = size_to_estate(sval.value - 1);
155 		break;
156 	case '>':
157 	case SPECIAL_UNSIGNED_GT:
158 		false_state = size_to_estate(sval.value);
159 		break;
160 	}
161 
162 	set_true_false_states_expr(my_strlen_id, str, true_state, false_state);
163 }
164 
165 static void match_snprintf(const char *fn, struct expression *expr, void *unused)
166 {
167 	struct expression *dest;
168 	struct expression *dest_size_expr;
169 	sval_t limit_size;
170 
171 	dest = get_argument_from_call_expr(expr->args, 0);
172 	dest_size_expr = get_argument_from_call_expr(expr->args, 1);
173 
174 	if (!get_implied_value(dest_size_expr, &limit_size))
175 		return;
176 
177 	if (limit_size.value <= 0)
178 		return;
179 
180 	set_state_expr(my_strlen_id, dest, size_to_estate(limit_size.value - 1));
181 }
182 
183 static void match_strlcpycat(const char *fn, struct expression *expr, void *unused)
184 {
185 	struct expression *dest;
186 	struct expression *src;
187 	struct expression *limit_expr;
188 	int src_len;
189 	sval_t limit;
190 
191 	dest = get_argument_from_call_expr(expr->args, 0);
192 	src = get_argument_from_call_expr(expr->args, 1);
193 	limit_expr = get_argument_from_call_expr(expr->args, 2);
194 
195 	src_len = get_size_from_strlen(src);
196 
197 	if (!get_implied_max(limit_expr, &limit))
198 		return;
199 	if (limit.value < 0 || limit.value > INT_MAX)
200 		return;
201 	if (src_len != 0 && strcmp(fn, "strcpy") == 0 && src_len < limit.value)
202 		limit.value = src_len;
203 
204 	set_state_expr(my_strlen_id, dest, size_to_estate(limit.value - 1));
205 }
206 
207 static void match_strcpy(const char *fn, struct expression *expr, void *unused)
208 {
209 	struct expression *dest;
210 	struct expression *src;
211 	int src_len;
212 
213 	dest = get_argument_from_call_expr(expr->args, 0);
214 	src = get_argument_from_call_expr(expr->args, 1);
215 
216 	src_len = get_size_from_strlen(src);
217 	if (src_len == 0)
218 		return;
219 
220 	set_state_expr(my_strlen_id, dest, size_to_estate(src_len - 1));
221 }
222 
223 static int get_strlen_from_string(struct expression *expr, struct range_list **rl)
224 {
225 	sval_t sval;
226 	int len;
227 
228 	len = expr->string->length;
229 	sval = sval_type_val(&int_ctype, len - 1);
230 	*rl = alloc_rl(sval, sval);
231 	return 1;
232 }
233 
234 
235 static int get_strlen_from_state(struct expression *expr, struct range_list **rl)
236 {
237 	struct smatch_state *state;
238 
239 	state = get_state_expr(my_strlen_id, expr);
240 	if (!state)
241 		return 0;
242 	*rl = estate_rl(state);
243 	return 1;
244 }
245 
246 static int get_strlen_from_equiv(struct expression *expr, struct range_list **rl)
247 {
248 	struct smatch_state *state;
249 
250 	state = get_state_expr(my_equiv_id, expr);
251 	if (!state || !state->data)
252 		return 0;
253 	if (!get_implied_rl((struct expression *)state->data, rl))
254 		return 0;
255 	return 1;
256 }
257 
258 /*
259  * This returns the strlen() without the NUL char.
260  */
261 int get_implied_strlen(struct expression *expr, struct range_list **rl)
262 {
263 
264 	*rl = NULL;
265 
266 	expr = strip_expr(expr);
267 	if (expr->type == EXPR_STRING)
268 		return get_strlen_from_string(expr, rl);
269 
270 	if (get_strlen_from_state(expr, rl))
271 		return 1;
272 	if (get_strlen_from_equiv(expr, rl))
273 		return 1;
274 	return 0;
275 }
276 
277 int get_size_from_strlen(struct expression *expr)
278 {
279 	struct range_list *rl;
280 	sval_t max;
281 
282 	if (!get_implied_strlen(expr, &rl))
283 		return 0;
284 	max = rl_max(rl);
285 	if (sval_is_negative(max) || sval_is_max(max))
286 		return 0;
287 
288 	return max.value + 1; /* add one because strlen doesn't include the NULL */
289 }
290 
291 void set_param_strlen(const char *name, struct symbol *sym, char *key, char *value)
292 {
293 	struct range_list *rl = NULL;
294 	struct smatch_state *state;
295 	char fullname[256];
296 
297 	if (strncmp(key, "$", 1) != 0)
298 		return;
299 
300 	snprintf(fullname, 256, "%s%s", name, key + 1);
301 
302 	str_to_rl(&int_ctype, value, &rl);
303 	if (!rl || is_whole_rl(rl))
304 		return;
305 	state = alloc_estate_rl(rl);
306 	set_state(my_strlen_id, fullname, sym, state);
307 }
308 
309 static void match_call(struct expression *expr)
310 {
311 	struct expression *arg;
312 	struct range_list *rl;
313 	int i;
314 
315 	i = 0;
316 	FOR_EACH_PTR(expr->args, arg) {
317 		if (!get_implied_strlen(arg, &rl))
318 			continue;
319 		if (!is_whole_rl(rl))
320 			sql_insert_caller_info(expr, STR_LEN, i, "$", show_rl(rl));
321 		i++;
322 	} END_FOR_EACH_PTR(arg);
323 }
324 
325 static void struct_member_callback(struct expression *call, int param, char *printed_name, struct sm_state *sm)
326 {
327 	if (sm->state == &merged)
328 		return;
329 	sql_insert_caller_info(call, STR_LEN, param, printed_name, sm->state->name);
330 }
331 
332 void register_strlen(int id)
333 {
334 	my_strlen_id = id;
335 
336 	add_unmatched_state_hook(my_strlen_id, &unmatched_strlen_state);
337 
338 	select_caller_info_hook(set_param_strlen, STR_LEN);
339 	add_hook(&match_string_assignment, ASSIGNMENT_HOOK);
340 
341 	add_modification_hook(my_strlen_id, &set_strlen_undefined);
342 	add_merge_hook(my_strlen_id, &merge_estates);
343 	add_hook(&match_call, FUNCTION_CALL_HOOK);
344 	add_member_info_callback(my_strlen_id, struct_member_callback);
345 	add_hook(&match_strlen_condition, CONDITION_HOOK);
346 
347 	add_function_hook("snprintf", &match_snprintf, NULL);
348 
349 	add_function_hook("strlcpy", &match_strlcpycat, NULL);
350 	add_function_hook("strlcat", &match_strlcpycat, NULL);
351 	add_function_hook("strcpy", &match_strcpy, NULL);
352 }
353 
354 void register_strlen_equiv(int id)
355 {
356 	my_equiv_id = id;
357 	add_function_assign_hook("strlen", &match_strlen, NULL);
358 	add_modification_hook(my_equiv_id, &set_strlen_equiv_undefined);
359 }
360 
361