Buffer overflow-local array index out of bounds

ABV.STACK is an inter-procedural checker that looks for buffer overflow inside a called function. Arguments passed to the function control which elements of the buffer are accessed. This checker finds defects when the buffer is not passed to the function, but is usually a local variable inside the function or a global variable.

Vulnerability and risk

Indexing into a local array outside of its bounds may lead to application instability, or with a carefully constructed attack, data disclosure vulnerabilities, code injection, or other vulnerabilities.

Vulnerable code example

1  void foobar(int x)
2  {
3      int local_array[7];
4      local_array[x] = 0;
5  }
7  int main() {
8      foobar(15);
9      return 0;
10 }

In this example, function 'foobar' gets a value that is used in an index to access 'local_array'. Klocwork produces an issue report for line 8 indicating that calling method 'foobar' with a parameter of 15 exceeds the valid values, which are 0..7. In this case, the checker has found the defect in a buffer found inside the function 'foobar'.

Fixed code example

1  void foobar(int x)
2  {
3      int local_array[7];
4      // verify the parameter is in range
5      if (x >= 0 && x < 7)
6      {
7          local_array[x] = 0;
8      }
9  }
11 int main() {
12     foobar(15);
13     return 0;
14 }

In the fixed code example, the value of parameter 'x' is validated at line 5 to before it's used to index into local array 'local_array' at line 7. In other cases, the best fix for similar code could be a value check in a calling function.


This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.