ABV.GENERAL

Buffer overflow-array index out of bounds

A buffer overflow, or overrun, is an anomaly in which a program writing data to a buffer overruns the buffer's boundaries and overwrites adjacent memory. Typically, this problem occurs when a program is copying strings of characters to a buffer.

C and C++ provide no built-in protection against accessing or overwriting data in any part of memory, and do not automatically check that data written to an array (the built-in buffer type for this language) is within the array's boundaries.

The ABV.GENERAL checker is a generic checker that looks for array bounds violations — any access to an array element that is outside of the bounds of that array.

Vulnerability and risk

Buffer overflows can be triggered by inputs that are designed to execute code or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.

Consequences of buffer overflow include valid data being overwritten and execution of arbitrary and potentially malicious code. For example, buffer overflows can manipulate a program in several ways:

  • By overwriting a local variable that is near the buffer in memory to change the behavior of the program to benefit the attacker
  • By overwriting the return address in a stack frame so that execution resumes at the return address specified by the attacker (usually a user input-filled buffer)
  • By overwriting a function pointer or exception handler, which is subsequently executed

Vulnerable code example 1

Copy
  int main()
  {
      char fixed_buf[10];
      sprintf(fixed_buf,"Very long format string\n"); // Line 4. ABR
      return 0;
  }

Klocwork produces a buffer overflow report for line 4 indicating that the array index of 'fixed_buf' may be out of bounds: array 'fixed_buf' of size 10 allows index values 0..24. The ABR checker looks for array bounds violations, and in this case, finds that access to array element 'fixed_buf' is outside of the bounds of that array.

Fixed code example 1

Copy
  int main()
  {
      char fixed_buf[10];
      snprintf(fixed_buf, sizeof(fixed_buf), "Very long format string\n"); 
      return 0;
  }

In the fixed code example, the sprintf function, which simply assumes that the output buffer is large enough to hold the resulting string, was replaced with the snprintf function, which writes a maximum number of bytes to the buffer. Note that this is just one way to prevent the buffer overflow in this example code, and this fix will result in string truncation, which may need to be accounted for, depending on the application.

Vulnerable code example 2

Copy
  void foo()
  {
      char a[8]; // holds two 4-byte ints
      for (int i = 0; i < sizeof(a); i++)
      {
          ((int*)a)[i] = i;
      }
  }

There are situations when an array or a pointer to an allocated buffer is cast to a different type before its elements are accessed. In this example, the upper bound of the loop at line 4 is taken to be the size of the array 'a' in characters, but array 'a' is accessed as an array of integers at line 6. Klocwork produces a buffer overflow report for the snippet above indicating that the array index of 'a' may be out of bounds due to the difference between 1-byte characters and 4-byte integers at line 6: the array 'a' of size 2 may use index values 2..7. The traceback of the issue contains information indicating that the array 'a' declared as 'char[8]' is treated as an array of size 2.

Fixed code example 2

Copy
  void foo()
  {
      char a[8]; // holds two 4-byte ints
      for (int i = 0; i < sizeof(a) / sizeof(int); i++)
      {
          ((int*)a)[i] = i;
      }
  }

In the fixed code example, the upper bound of the loop at line 4 has been changed to look at the number of elements in array 'a' treated as an array of integers.

Related checkers

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.