[clang] [analyzer] Add optin.taint.TaintedDiv checker (PR #106389)
DonĂ¡t Nagy via cfe-commits
cfe-commits at lists.llvm.org
Mon Sep 30 04:57:51 PDT 2024
================
@@ -1288,6 +1288,34 @@ by explicitly marking the ``size`` parameter as sanitized. See the
delete[] ptr;
}
+.. _optin-taint-TaintedDiv:
+
+optin.taint.TaintedDiv (C, C++, ObjC)
+"""""""""""""""""""""""""""""""""""""
+This checker warns when the denominator in a division
+operation is a tainted (potentially attacker controlled) value.
+If the attacker can set the denominator to 0, a runtime error can
+be triggered. The checker warns if the analyzer cannot prove
+that the denominator is not 0 and it is a tainted value.
+This warning is more pessimistic than the :ref:`core-DivideZero` checker
+which warns only when it can prove that the denominator is 0.
+
+.. code-block:: c
+
+ int vulnerable(int n) {
+ size_t size = 0;
+ scanf("%zu", &size);
+ return n/size; // warn: Division by a tainted value, possibly zero
+ }
+
+ int not_vulnerable(int n) {
+ size_t size = 0;
+ scanf("%zu", &size);
+ if (!size)
+ return 0;
+ return n/size; // no warning
----------------
NagyDonat wrote:
```suggestion
return n / size; // no warning
```
As above.
https://github.com/llvm/llvm-project/pull/106389
More information about the cfe-commits
mailing list