SV.TAINTED.CALL.LOOP_BOUND

Unvalidated input used as a loop boundary by function call

Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The SV.TAINTED family of checkers looks for the use of tainted data in code.

The SV.TAINTED.CALL.LOOP_BOUND error is reported when a loop variable is passed as an argument to another function and used as a loop boundary.

Vulnerability and risk

When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could

  • provide unexpected values and cause a program crash
  • cause excessive resource consumption
  • read confidential data
  • use malicious input to modify data or alter control flow
  • execute arbitrary commands

Vulnerable code example

1  void iterate(int n){
2     int i;
3     for (i = 0; i < n; i++){
4       foo();
5     }
6  
7   }
8   void iterateFoo()
9   {
10    unsigned num;
11    scanf("%u",&num);
12 
13    iterate(num);
14   }

Klocwork produces an issue report at line 13 indicating that the unvalidated integer value 'num' received through a call to 'scanf' at line 11 can be used in a loop condition through a call to 'iterate' at line 13. In this case, the SV.TAINTED.CALL.LOOP_BOUND checker finds code that uses potentially tainted data passed to another function as a loop boundary.

Fixed code example

1  void iterate(int n){
2     int i;
3     for (i = 0; i < n; i++){
4       foo();
5     }
6  
7   }
8   void iterateFoo()
9   {
10    unsigned num;
11    scanf("%u",&num);
12 
13    if (num < 100) iterate(num);
14   }

In the fixed example, the integer value 'num' is checked at line 13 before the iteration.