跳到主要内容

sqlite3_exec

API 概述

sqlite3_execlibsqlite3 中的一个API。该规属于mem leakage 类型。该规则是使用 Advance 生成的。

规则描述

提示

To avoid memory leaks, the application should invoke sqlite3_free() on error message strings returned through the 5th parameter of sqlite3_exec() after the error message string is no longer needed.

信息

标签:mem leakage

参数下标:N/A

CWE类别:CWE-772

规则代码

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import semmle.code.cpp.dataflow.DataFlow
import semmle.code.cpp.security.Security
import DataFlow::PathGraph
class TestConfiguration extends TaintTracking::Configuration {
  TestConfiguration() { this = "TestConfiguration" }

  override predicate isSource(DataFlow::Node source) {
    exists(FunctionCall fc, MacroInvocation mi |
      (fc.getTarget().hasQualifiedName("sqlite3_exec") or (
          mi.getMacroName() = "sqlite3_exec"
          and fc.getTarget().hasName(mi.getMacro().getBody())
         )
      )
      and ((fc.getArgument( 5-1) = source.asDefiningArgument() and  5-1 >= 0) or
        (fc = source.asExpr() and  5-1 = -1)
      )
    )
  }
override predicate isSink(DataFlow::Node sink) {
  exists(FunctionCall fc, MacroInvocation mi |
      (fc.getTarget().hasName("sqlite3_free") or (
        mi.getMacroName() = "sqlite3_free"
        and fc.getTarget().hasName(mi.getMacro().getBody())
       )
      )
      and fc.getAnArgument() = sink.asExpr()
    )
  }
}
from TestConfiguration cfg, FunctionCall fc, MacroInvocation mi
where (fc.getTarget().hasQualifiedName("sqlite3_exec") or (
          mi.getMacroName() = "sqlite3_exec"
          and fc.getTarget().hasName(mi.getMacro().getBody())
         )
      )
      and not exists(DataFlow::PathNode source, DataFlow::PathNode sink|cfg.hasFlowPath(source, sink) and
        ((fc.getArgument( 5-1) = source.getNode().asDefiningArgument() and  5-1 >= 0) or
          (fc = source.getNode().asExpr() and  5-1 = -1)
        )
      )
      and not (fc.getArgument( 5-1).isConstant() and  5-1>=0)
select fc.getLocation()