================
@@ -1273,6 +1273,41 @@ Check for memory leaks, double free, and use-after-free
problems. Traces memory
.. literalinclude:: checkers/unix_malloc_example.c
:language: c
+If the ``alpha.security.taint.TaintPropagation`` checker is enabled, the
checker
+warns for cases when the ``size`` parameter of the ``malloc`` , ``calloc``,
+``realloc``, ``alloca`` is tainted (potentially attacker controlled). If an
+attacker can inject a large value as the size parameter, memory exhaustion
+denial of service attack can be carried out.
+
+The analyzer emits warning only if it cannot prove that the size parameter is
+within reasonable bounds (``<= SIZE_MAX/4``). This functionality partially
+covers the SEI Cert coding standard rule `INT04-C
+<https://wiki.sei.cmu.edu/confluence/display/c/INT04-C.+Enforce+limits+on+integer+values+originating+from+tainted+sources>`_.
+
+You can silence this warning either by bound checking the ``size`` parameter,
or
+by explicitly marking the ``size`` parameter as sanitized. See the
+:ref:`alpha-security-taint-TaintPropagation` checker for more details.
+
+.. code-block:: c
+
+ void t1(void) {
+ size_t size;
+ scanf("%zu", &size);
+ int *p = malloc(size); // warn: malloc is called with a tainted
(potentially attacker controlled) value
+ free(p);
+ }
+
+ void t3(void) {
+ size_t size;
+ scanf("%zu", &size);
+ if (1024<size)
+ return;
+ int *p = malloc(size); // No warning expected as the the user input is
bound
+ free(p);
+ }
+
+.. _unix-MismatchedDeallocator:
+
----------------
steakhal wrote:
```suggestion
```
This appears to be a copy-paste mistake.
https://github.com/llvm/llvm-project/pull/92420
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
