SV.TAINTED.LOOP_BOUND
Unvalidated input used as a loop boundary
Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The SV.TAINTED family of checkers looks for the use of tainted data in code.
The SV.TAINTED.LOOP_BOUND error is reported when an unvalidated argument is used as a loop boundary.
Vulnerability and risk
When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could
- provide unexpected values and cause a program crash
- cause excessive resource consumption
- read confidential data
- use malicious input to modify data or alter control flow
- execute arbitrary commands
Vulnerable code example
void iterateFoo()
{
unsigned num;
int i;
scanf("%u",&num);
for (i = 0; i < num; i++){
foo();
}
}
Klocwork produces an issue report at line 6 indicating that unvalidated integer 'num' received through a call to 'scanf' at line 5 can be used in a loop condition at line 6. In this case, potentially tainted data is used as a loop boundary, which could be exploited by a malicious user.
Fixed code example
void iterateFoo()
{
unsigned num;
int i;
scanf("%u",&num);
if (num > 20) return;
for (i = 0; i < num; i++){
foo();
}
}
In the fixed code, the integer 'num' is checked at line 6 before it's used as a loop condition.
Related checkers
External guidance
- CERT ARR00-C: Understand how arrays work
- CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
- CERT INT04-C: Enforce limits on integer values originating from tainted sources
- CWE-20: Improper Input Validation
- CWE-606: Unchecked Input for Loop Condition
- OWASP A3:2021 Injection
- STIG-ID: APP3510 Insufficient input validation