I have two cases to present: an isolated test case handwritten by me (taint_prop_1.c),
and the source of the Ping utility off of a Debian package dated 2012-12-21
(the actual tests are located around lines 795~834 in ping.c;
ping_common.c, SNAPSHOT.h, and ping_common.h are needed for compiling, though).
After compiling ping, run with sudo, and options 127.0.0.1 and -c 1.
After compiling taint_prop_1.c, it can be run with no command line options.
When you receive a datagram in a byte array and extract the fields,
the ICMP header portion typically begins 20 bytes in (assume no IP options).
At the 21st byte, the ICMP type code sits there.
This can be extracted by either indexing from the array or
typecasting the array to struct icmphdr* and using the "type" field in the structure.
Now, after marking all bytes, I want to see how the labels propagate after assigning to variables.
In taint_prop_1.c, they work as expected;
however, in ping.c, the label information appears to have been wiped out along the way,
or they fail to propagate properly; the descriptions of the labels return "null".
I don't think 84 labels is too many for the framework, is it?
In the case of DataFlowSanitizer, what can cause labels to not be propagated properly?
What can cause the description and the data to be "lost" during the propagation process?
Thank you for looking into this!
ping.c (34.9 KB)
taint_prop_1.c (1.98 KB)
ping_common.c (23.9 KB)
SNAPSHOT.h (38 Bytes)
ping_common.h (7.57 KB)