Here is a v2 of my check. I've changed it to mark all "->ssid" and
everything in "(struct ieee80211_network)" as protected. I'm just
playing around with it at this point to explore what works best. It's
impossible to know until after some results come back.
regards,
dan carpenter
#include "smatch.h"
#include "smatch_slist.h"
#include "smatch_extra.h"
static int my_id;
static struct {
const char *type_name;
int len;
} member_list[] = {
{ "(struct ieee80211_network)->ssid", 32 },
{ "(struct rtllib_network)->ssid", 32 },
};
static void match_memset(const char *fn, struct expression *expr, void *_unused)
{
struct expression *dest, *size_arg;
struct range_list *rl;
char *member_name;
int dest_size = 0;
int i;
dest = get_argument_from_call_expr(expr->args, 0);
size_arg = get_argument_from_call_expr(expr->args, 2);
if (!dest || !size_arg)
return;
member_name = get_member_name(dest);
if (!member_name)
return;
for (i = 0; i < ARRAY_SIZE(member_list); i++) {
if (strcmp(member_name, member_list[i].type_name) == 0) {
dest_size = member_list[i].len;
goto check;
}
}
if (strstr(member_name, "->ssid"))
goto check;
if (strncmp(member_name, "(struct ieee80211_network)", 26) == 0)
goto check;
goto free;
check:
get_absolute_rl(size_arg, &rl);
if (!dest_size)
dest_size = get_array_size_bytes(dest);
if (rl_max(rl).value <= dest_size)
goto free;
if (dest_size <= 0 && is_capped(size_arg))
goto free;
sm_msg("protected struct member '%s' overflow: rl='%s'", member_name, show_rl(rl));
free:
free_string(member_name);
}
void check_protected_member(int id)
{
if (option_project != PROJ_KERNEL)
return;
my_id = id;
add_function_hook("memcpy", &match_memset, NULL);
add_function_hook("__memcpy", &match_memset, NULL);
}
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
