def checkArgDef(self,callsiteIndex,beginIndex,lowerBound,p,rfl,childnum,callee):
if p==[] or isinstance(self.l[callsiteIndex+1],LineOfCode):#Abort non-pointer variable.
return [],False
#Note: funciton name and callee name may not be equal as there exist macro and function pointer
#e.g. nread = abfd->iovec->bread (abfd, ptr, size);
indexes=self.slice_same_func_lines(callsiteIndex+2,lowerBound)#PlUS TWO("callsiteIndex+2")means
#start from the first line of callee function.
params=self.l[callsiteIndex+1].get_param_list().split(",")
if len(params)-1<childnum:
skip_va_arg_nums=childnum-len(params)
res=self.check_va_arg_style(skip_va_arg_nums,indexes)
if not res:
print "BAD arg-->param number match!"
print 1/0
varname,indexes=res
var= TaintVar(varname,p,rfl)
else:
#FIX ME following part should change for va_arg case
#----------------------------------------------------------------------------------------#
varname=params[int(childnum)].split("=")[0]
#handle "=" cases like:
#args_callback_command (name=0xbfffeb26 "swfdump0.9.2log/exploit_0_0", val=val@entry=0x0) at swfdump.c:200
print self.l[callsiteIndex+1]
var=TaintVar(varname,p,rfl)
#---------------------------------------------------------------------------------------#
pairs=self.findAllReferences(var,indexes,True)
pairs.append((callsiteIndex+1,var,True,0,len(indexes)))
defs=self.getDefs(pairs,indexes)
for d,v in defs:
print "%%%",self.l[d]
for d,v in defs:
#BUG
def_type=self.matchDefinitionType(d,v)
if def_type==Syntax.FOR:
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
jobs=Syntax.generate_for_jobs(d, self.l[d].codestr, v)
return self.taintUp(jobs),True
if def_type==Syntax.INC:#INC
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
jobs.append(TaintJob(d,v))
jobs=list(set(jobs))
return self.taintUp(jobs),True
elif def_type==Syntax.RAW_DEF:#RAW_DEF
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
return [],True
elif def_type==Syntax.NORMAL_ASSIGN:
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
assign_handler=AssignmentHandler(self.l,self.TG)
jobs=assign_handler.getJobs(v,d,indexes)
return self.taintUp(jobs),True
elif def_type==Syntax.OP_ASSIGN:
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
assign_handler=AssignmentHandler(self.l,self.TG)
jobs=assign_handler.getJobs(v,d,indexes)
jobs.append(TaintJob(d, v))
return self.taintUp(jobs),True
elif def_type == Syntax.RETURN_VALUE_ASSIGN:
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
jobs=self.handleReturnAssignDirect(beginIndex,d,v)
return jobs
elif def_type==Syntax.SYS_LIB_DEF:
self.TG.linkCrossEdges(beginIndex,d,v.simple_access_str())
jobs= Syntax.handle_sys_lib_def(d,v,self.l[d].codestr)
return self.taintUp(jobs),True
else:
#job.traceIndex-->l.index(line)
#f(t->q) variable:t syntax:*(t->q)
#track the access variable t->q
#truncate the outter syntax (->q,*) minus ( ->q)= (*)
#use new syntax to checkArgDef----- var:t->q,syntax:*
#----------------
result=Syntax.isPossibleArgumentDefinition(self.l[d],v)
if result is not None:
rfl,p,childnum,callee,arg=result
jobs,b=self.checkArgDef(d,beginIndex,lowerBound,p,rfl,childnum,callee)
if b:
return self.taintUp(jobs),True
return [],False
def lastModification(self,job):
if job.trace_index==13050:#1293:
print "FInd you!"
if job.trace_index==0:
return []
if isinstance(self.l[job.trace_index], FunctionCallInfo):
return None#The input should not be a job in FunctionCallInfo
if job.trace_index==1:#begin
if job.var.v in self.l[job.trace_index-1].param_list:
self.TG.linkInnerEdges(job.trace_index,job.trace_index-1,job.var.simple_access_str())
return []
indexes=self.up_slice(job)
if len(indexes)>0:
pairs=self.findAllReferences(job.var,indexes,False)
pairs.append((indexes[0]-1,job.var,False,0,len(indexes)))
#(aIndex,q,True,idx+1,lb)
defs=self.getDefs(pairs,indexes)
for d,v in defs:
print "In list definition:",d,self.l[d]
for d,v in defs:
def_type=self.matchDefinitionType(d,v)
if def_type==Syntax.FOR:
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
jobs=Syntax.generate_for_jobs(d, self.l[d].codestr, v)
return list(set(jobs))
if def_type==Syntax.INC:#INC
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
return [TaintJob(d,v)]
elif def_type==Syntax.RAW_DEF:#RAW_DEF
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
return []
elif def_type==Syntax.NORMAL_ASSIGN:
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
assign_handler=AssignmentHandler(self.l,self.TG)
jobs=assign_handler.getJobs(v,d,indexes)
return jobs
elif def_type==Syntax.OP_ASSIGN:
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
assign_handler=AssignmentHandler(self.l,self.TG)
jobs=assign_handler.getJobs(v,d,indexes)
jobs.append(TaintJob(d, v))
return jobs
elif def_type == Syntax.RETURN_VALUE_ASSIGN:
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
jobs=self.handleReturnAssignDirect(job.trace_index,d,v)
return jobs
elif def_type==Syntax.SYS_LIB_DEF:
self.TG.linkInnerEdges(job.trace_index,d,v.simple_access_str())
jobs= Syntax.handle_sys_lib_def(d,v,self.l[d].codestr)
return list(set(jobs))
else:
#job.traceIndex-->l.index(line)
#f(t->q) variable:t syntax:*(t->q)
#track the access variable t->q
#truncate the outter syntax (->q,*) minus ( ->q)= (*)
#use new syntax to checkArgDef----- var:t->q,syntax:*
#----------------
result=Syntax.isPossibleArgumentDefinition(self.l[d],v)
if result is not None:
rfl,p,childnum,callee,arg=result
if "->headindex" in p and "header_read"==callee:
print callee
jobs,b=self.checkArgDef(d,job.trace_index,job.trace_index,p,rfl,childnum,callee)
if b:
return jobs
if len(indexes)>0:
i=indexes[0]-1
else:
i=job.trace_index-1
#l[i] must be an instance of FunctionCallInfo
if i==0:#begin
if job.var.v in self.l[i].param_list:
self.TG.linkInnerEdges(job.trace_index,i,job.var.simple_access_str())
return []
elif self.l[i].get_func_name().split("::")[-1].strip() in self.l[i-1].codestr and self.l[i]==self.l[job.trace_index].get_func_call_info():#call point
if job.var.v in self.l[i].param_list:
self.TG.linkInnerEdges(job.trace_index,i,job.var.simple_access_str())
return [TaintJob(i,job.var)]
return []
elif self.isMacroCall(i-1):
if job.var.v in self.l[i].param_list:
self.TG.linkInnerEdges(job.trace_index,i,job.var.simple_access_str())
return [TaintJob(i,job.var)]
return []
return []
