apollo icon indicating copy to clipboard operation
apollo copied to clipboard
verified publisher icon ApolloAuto

Potential Error uncontrolled-allocation-size Related to CWE-190

Open Close-Recover opened this issue 1 year ago • 0 comments

Dear developers,

When we use CodeQL (GitHub's own static code analysis tool) to analyze the project, it has reported an error from code that may cause breakdown. And we found that this potential error tend to exist in the project for a relatively long time. In this issue we will provide the error form a single file modules/drivers/lidar/hesai/parser/tcp_cmd_client.cc, including its name, location and analysis steps (code data flow). Hopefully it will get your attention, and we are looking forward to a further communication.

System information

  • OS Platform and Distribution: Linux Ubuntu 18.04
  • Apollo installed from: source
  • Apollo version: 9.0, but some appears in much earlier version like 8.0
  • Output of apollo.sh config if on master branch: no output can be given because the analysis was run just after standard installation

Steps to reproduce the issue:

  • Prepare everything by following the guidance of official docs before running './apollo.sh build'
  • Then use CodeQL create database command to establish database and set '--command = './apollo.sh build'', it looks like: codeql database create new-database --language=<language> --command='./scripts/build.sh'
  • Please note that the process needs a clean build and may take a long time to finish. Using clean command and parallelization techniques based on your hardware environment may help you make it faster

Supporting materials (screenshots, command lines, code/script snippets):

  • Because of the limit of GitHub, we cannot attach the original file directly. You can contact us by email to obtain it: [email protected]
  • Here is its information that were reported as the most important, they are focused on uncontrolled allocation size, which is related to CWE-190. The <number:number> pattern means the specific location of code (e.g. read output argument novatel.c 2001:13, 'fread output argument' is code, '2001:13' is detailed location) in code file and it helps you to detect code data flow in program:

This allocation size is derived from user input (buffer read by read) and might overflow: read output argument tcp_cmd_client.cc 161:35 Read output argument tcp_cmd_client.cc 120:18 *... + ... tcp_cmd_client.cc 132:15 *buffer tcp_cmd_client.cc 82:53 ... = ... tcp_cmd_client.cc 87:3 *header [post update] [len] tcp_cmd_client.cc 87:3 ParseHeader output argument [len] tcp_cmd_client.cc 132:30 *feedback [post update] [header, len] tcp_cmd_client.cc 132:31 *feedback [header, len] tcp_cmd_client.cc 139:43 *header [len] tcp_cmd_client.cc 139:53 ... + ... tcp_cmd_client.cc 139:43

Close-Recover avatar Mar 06 '24 14:03 Close-Recover