ABV.TAINTED
Buffer overflow-array index from tainted input out of bounds
ABV.TAINTED checks for buffer overflows caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.
Vulnerability and risk
Buffer overflows are frequently the source of application attacks and exploits.
Mitigation and prevention
To avoid the possibility of these attacks from tainted input
- make sure you insert a validation condition before the line in which the overflow can occur
- consider all the potentially relevant input properties of the input, including length, type of input, full range of acceptable values, missing or extra inputs, syntax, consistency in related fields, and conformance to business rules
- make sure the minimum as well as maximum of a range is verified, so that negative values cannot be mistakenly accepted
Vulnerable code example
#include <stdio.h>
void wrapped_read(char* buf, int count) {
fgets(buf, count, stdin);
}
void TaintedAccess()
{
char buf1[12];
char buf2[12];
char dst[16];
wrapped_read(buf1, sizeof(buf1));
wrapped_read(buf2, sizeof(buf2));
sprintf(dst, "%s-%s\n", buf1, buf2);
}
Klocwork produces a buffer overflow report for line 15 indicating that unvalidated input is used as an array index to 'dst'. Array 'dst' is defined with a size of 16, but lines 13 and 14 may produce an input of 22 characters, plus terminating nulls. In this case, the input data hasn't been checked in relation to the buffer size, so it's considered to be tainted.
Fixed code example
#include <stdio.h>
void wrapped_read(char* buf, int count) {
fgets(buf, count, stdin);
}
void TaintedAccess()
{
char buf1[12];
char buf2[12];
char dst[25];
wrapped_read(buf1, sizeof(buf1));
wrapped_read(buf2, sizeof(buf2));
sprintf(dst, "%s-%s\n", buf1, buf2);
}
In the fixed code example, the size for 'dst' has been correctly defined as 25.
Related checkers
External guidance
- CERT ARR00-C: Understand how arrays work
- CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
- CERT CTR50-CPP: Guarantee that container indices and iterators are within the valid range
- CERT ENV01-C: Do not make assumptions about the size of an environment variable
- CWE-20: Improper Input Validation
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-124: Buffer Underwrite ('Buffer Underflow')
- CWE-125: Out-of-bounds Read
- CWE-129: Improper Validation of Array Index
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
- CWE-806: Buffer Access Using Size of Source Buffer
- OWASP A3:2021 Injection
- STIG-ID: APP3510 Insufficient input validation
- STIG-ID: APP3590.1 Application is vulnerable to buffer overflows
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.