Step 0: Finding the definition of memcpy, ntohl, ntohll, and ntohs

Question 0.0: Can you work out what the above query is doing?

The query finds the definition of the function strlen

Question 0.1: Modify the query to find the definition of memcpy.

import cpp

from Function f
where f.getName() = "memcpy"
select f, "a function named memcpy"

Question 0.2: ntohl, ntohll, and ntohs can either be functions or macros (depending on the platform where the code is compiled).

import cpp

from Macro m
where m.getName().regexpMatch("ntoh(s|l|ll)")
select m

Step 1: Finding the calls to memcpy, ntohl, ntohll, and ntohs

Question 1.0: Find all the calls to memcpy

import cpp

// Version with two variables
// from Function f, FunctionCall c
// where c.getTarget() = f and f.getName() = "memcpy"
// select c, f

// More compact version with the Function variable implicit
from FunctionCall c
where c.getTarget().getName() = "memcpy"
select c

Question 1.1: Find all the calls to ntohl, ntohll, and ntohs

import cpp

// Version with two variables
// from Macro m, MacroInvocation mi
// where
//   m.getName().regexpMatch("ntoh(s|l|ll)") and
//   mi.getMacro() = m
// select mi, m

// More compact version with the Macro variable implicit
from MacroInvocation mi
where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")
select mi

Question 1.2: Find the expressions that resulted in these macro invocations

import cpp

from MacroInvocation mi
where mi.getMacro().getName().regexpMatch("ntoh(s|l|ll)")
select mi.getExpr()

Step 2: Data flow analysis

Question 2.0: Write a QL class that finds all the top-level expressions associated with the macro invocations to the calls to ntohl, ntohll, and ntohs

import cpp

/**
 * An expression involved when swapping the byte order of network data.
 * Its value is likely to have been read from the network.
 */
class NetworkByteSwap extends Expr {
  NetworkByteSwap() {
    exists(MacroInvocation mi |
      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and
      this = mi.getExpr()
    )
  }
}

from NetworkByteSwap n
select n

Question 2.1: Create the configuration class, by defining the source and sink

import cpp
import semmle.code.cpp.dataflow.TaintTracking
import DataFlow::PathGraph

/**
 * An expression involved when swapping the byte order of network data.
 * Its value is likely to have been read from the network.
 */
class NetworkByteSwap extends Expr {
  NetworkByteSwap() {
    exists(MacroInvocation mi |
      mi.getMacroName().regexpMatch("ntoh(s|l|ll)") and
      this = mi.getExpr()
    )
  }
}

class Config extends TaintTracking::Configuration {
  Config() { this = "Config: this name doesn't matter" }

  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof NetworkByteSwap }

  override predicate isSink(DataFlow::Node sink) {
    exists(FunctionCall c | c.getTarget().getName() = "memcpy" and sink.asExpr() = c.getArgument(2))
  }
}

from Config cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
select sink, source, sink, "Network byte swap flows to memcpy"

Step 3: Find additional vulnerabilities

Question 3.0: There are 13 known vulnerabilities in U-Boot.

Find details in our research post