SV.TAINTED.CALL.GLOBAL

Use of Unvalidated Integer in an Assignment Operation

This checker report a defect whenever tainted data is used to assign a global variable via a function call.

Vulnerability and risk

Global variables are visible in the entire program scope. It can be difficult for a programmer or an analysis tool to fully control their assignments or reads in the program. The possibility of a reduced understanding of the global variable effect on the program control flow can introduce a security risk when integer data input to the code is not validated properly and is used to assign a global variable.

Vulnerable code example

Copy
   #define MAX  10
   int gVar = 0;
   int getTaintedData()
   {
      int i;
      scanf(%d” , &i);
      return i;
   }
   void foo() 
  {
    int t = getTaintedData();
    bar(t);
  }
  void bar() 
  {
    gVar = t;
  }

In the above example, an attacker can provide an arbitrary value for global variable 'gVar' that can later be potentially used elsewhere in code that the programmer has no control or is not even aware of. This potentially introduces the risk of a security vulnerability involving that variable.

Klockwork reports a SV.TAINTED.GLOBAL defect at line 12, indicating: "Unvalidated integer value't' that is received from 'getTaintedData' at line 11is used to assign a global variable via a call 'bar()' at line 12."

Fixed code example

Copy
   #define MAX  10
   int gVar = 0;
   int getTaintedData()
   {
       int i;
       scanf(%d” , &i);
       return i;
   }
   void foo() 
  {
      int t = getTaintedData();
      If (t < MAX) {
          // value validated
          bar(t);
      }
  }
  void bar() 
  {
      gVar = t;
  }

In this example, Klocwork no longer reports a defect because the integer value 't' is validated.