The llvm-3.2 taint engine does not properly taint the results of a gets() call.
For gets(), since none of the function arguments are tainted, ProgramStateRef GenericTaintChecker::TaintPropagationRule::process() bails out early. Most other input functions take stdin as an argument; gets() is a special case, wherein stdin is implied. The attached patch includes a fix for this issue and a regression test case. This fix does slightly change the semantics of TaintPropagationRule, but I think it maintains correctness. Note: this patch is against llvm/clang 3.2. Due to a bug, I can't use 3.3, and HEAD is too unstable for my purposes. My apologies if this bug has been fixed already! Also, I mistakenly submitted this patch as Bug 16475. If this is committed, could someone please close that bug? Thanks! http://llvm.org/bugs/show_bug.cgi?id=16475 Keaton Mowery
gets-taint.patch
Description: Binary data
_______________________________________________ cfe-commits mailing list [email protected] http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits
