File: taint-realloc.c

package info (click to toggle)
gcc-arm-none-eabi 15%3A14.2.rel1-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 1,099,328 kB
  • sloc: cpp: 3,627,108; ansic: 2,571,498; ada: 834,230; f90: 235,082; makefile: 79,231; asm: 74,984; xml: 51,692; exp: 39,736; sh: 33,298; objc: 15,629; python: 15,069; fortran: 14,429; pascal: 7,003; awk: 5,070; perl: 3,106; ml: 285; lisp: 253; lex: 204; haskell: 135
file content (18 lines) | stat: -rw-r--r-- 555 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
#include "analyzer-decls.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* realloc with tainted size.  */

void *p;

void __attribute__((tainted_args))
test_1 (size_t sz) /* { dg-message "\\(1\\) function 'test_1' marked with '__attribute__\\(\\(tainted_args\\)\\)'" } */
{
  void *q;
  
  __analyzer_dump_state ("taint", sz); /* { dg-warning "state: 'tainted'" } */

  q = realloc (p, sz);  /* { dg-warning "use of attacker-controlled value 'sz' as allocation size without upper-bounds checking" } */
} /* { dg-warning "leak of 'q'" } */