SV.TAINTED.LOOP_BOUND

Unvalidated input used as a loop boundary

Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The SV.TAINTED family of checkers looks for the use of tainted data in code.

The SV.TAINTED.LOOP_BOUND error is reported when an unvalidated argument is used as a loop boundary.

Vulnerability and risk

When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could

  • provide unexpected values and cause a program crash
  • cause excessive resource consumption
  • read confidential data
  • use malicious input to modify data or alter control flow
  • execute arbitrary commands

Vulnerable code example

1  void iterateFoo()
2   {
3     unsigned num;
4     int i;
5     scanf("%u",&num);
6     for (i = 0; i < num; i++){
7       foo();
8     }
9    }

Klocwork produces an issue report at line 6 indicating that unvalidated integer 'num' received through a call to 'scanf' at line 5 can be used in a loop condition at line 6. In this case, potentially tainted data is used as a loop boundary, which could be exploited by a malicious user.

Fixed code example

1  void iterateFoo()
2   {
3     unsigned num;
4     int i;
5     scanf("%u",&num);
6     if (num > 20) return;
7     for (i = 0; i < num; i++){
8       foo();
9     }
10   }

In the fixed code, the integer 'num' is checked at line 6 before it's used as a loop condition.