Checkers:ABV.TAINTED

From current

Buffer overflow—array index from tainted input out of bounds

ABV.TAINTED checks for buffer overflows caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.

Vulnerability and risk

Buffer overflows are frequently the source of application attacks and exploits. For more information on vulnerability and risk in buffer overflows, see Understanding buffer overflows.

Mitigation and prevention

To avoid the possibility of these attacks from tainted input

• make sure you insert a validation condition before the line in which the overflow can occur
• consider all the potentially relevant input properties of the input, including length, type of input, full range of acceptable values, missing or extra inputs, syntax, consistency in related fields, and conformance to business rules
• make sure the minimum as well as maximum of a range is verified, so that negative values cannot be mistakenly accepted

Code examples

Vulnerable code example

1  #include <stdio.h>
2  void wrapped_read(char* buf, int count) {
3     fgets(buf, count, stdin);
4  }
5  
6  void TaintedAccess()
7  {
8     char buf1[12];
9     char buf2[12];
10 
11    char dst[16];
12 
13    wrapped_read(buf1, sizeof(buf1));
14    wrapped_read(buf2, sizeof(buf2));
15    sprintf(dst, "%s-%s\n", buf1, buf2);
16 }

Klocwork produces a buffer overflow report for line 15 indicating that unvalidated input is used as an array index to 'dst'. Array 'dst' is defined with a size of 16, but lines 13 and 14 may produce an input of 22 characters, plus terminating nulls. In this case, the input data hasn't been checked in relation to the buffer size, so it's considered to be tainted.

Fixed code example

1  #include <stdio.h>
2  void wrapped_read(char* buf, int count) {
3     fgets(buf, count, stdin);
4  }
5  
6  void TaintedAccess()
7  {
8     char buf1[12];
9     char buf2[12];
10 
11    char dst[25];
12 
13    wrapped_read(buf1, sizeof(buf1));
14    wrapped_read(buf2, sizeof(buf2));
15    sprintf(dst, "%s-%s\n", buf1, buf2);
16 }

In the fixed code example, the size for 'dst' has been correctly defined as 25.

Related checkers

• ABV.ANY_SIZE_ARRAY
• ABV.GENERAL
• ABV.ITERATOR
• ABV.MEMBER
• ABV.TAINTED
• NNTS.MIGHT
• NNTS.TAINTED
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.BOUND_COPY
• SV.STRBO.UNBOUND_COPY
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-129: Improper Validation of Array Index
• CWE-190: Integer Overflow or Wraparound
• CWE-788: Access of Memory Location After End of Buffer
• CWE-805: Buffer Access with Incorrect Length Value
• ARR30-C: Do not form or use out of bounds pointers or array subscripts
• STIG-ID:APP3510 Insufficient input validation
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows
• 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.