ABV.GENERAL.MULTIDIMENSION
Buffer overflow-array index out of bounds
A buffer overflow, or overrun, is an anomaly in which a program writing data to a buffer overruns the buffer's boundaries and overwrites adjacent memory. Typically, this problem occurs when a program is copying strings of characters to a buffer.
C and C++ provide no built-in protection against accessing or overwriting data in any part of memory, and do not automatically check that data written to an array (the built-in buffer type for this language) is within the array's boundaries.
The ABV.GENERAL.MULTIDIMENSION checker is a generic checker that looks for array bounds violations—any access to an array element that is outside of the bounds of that array—for multi-dimensional arrays, that is, for two- to N-dimensional arrays.
Vulnerability and risk
Buffer overflows can be triggered by inputs that are designed to execute code or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.
Consequences of buffer overflow include valid data being overwritten and execution of arbitrary and potentially malicious code. For example, buffer overflows can manipulate a program in several ways:
- By overwriting a local variable that is near the buffer in memory to change the behavior of the program to benefit the attacker
- By overwriting the return address in a stack frame so that execution resumes at the return address specified by the attacker (usually a user input-filled buffer)
- By overwriting a function pointer or exception handler, which is subsequently executed
Vulnerable code example 1
#include<iostream>
using namespace std;
int main()
{
// an array with 3 rows and 2 columns.
int x[3][2] = {0,1,2,3,4,5};
int *p = &x[0][0];
cout<<"Array access: "<<*(p+9)<<endl;
return 0;
}
Klocwork produces a buffer overflow report for line 10 indicating that the multidimensional array 'x' may be out of bounds.
Fixed code example 1
#include<iostream>
using namespace std;
int main()
{
// an array with 3 rows and 2 columns.
int x[3][2] = {0,1,2,3,4,5};
int *p = &x[0][0];
cout<<"Array access: "<<*(p+2)<<endl;
return 0;
}
In the fixed code example, the multidimensional array is accessed within the index range.
Related checkers
- ABV.ANY_SIZE_ARRAY
- ABV.GENERAL
- ABV.ITERATOR
- ABV.MEMBER
- ABV.STACK
- ABV.TAINTED
- ABV.UNICODE.BOUND_MAP
- ABV.UNICODE.FAILED_MAP
- ABV.UNICODE.NNTS_MAP
- ABV.UNICODE.SELF_MAP
- ABV.UNKNOWN_SIZE
External guidance
- CERT ARR00-C: Understand how arrays work
- CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
- CERT ARR38-C: Guarantee that library functions do not form invalid pointers
- CERT CTR50-CPP: Guarantee that container indices and iterators are within the valid range
- CERT ENV01-C: Do not make assumptions about the size of an environment variable
- CERT EXP08-C: Ensure pointer arithmetic is used correctly
- CERT POS30-C: Use the readlink() function properly
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- CWE-122: Heap-based Buffer Overflow
- CWE-124: Buffer Underwrite ('Buffer Underflow')
- CWE-125: Out-of-bounds Read
- CWE-127: Buffer Under-read
- CWE-193: Off-by-one Error
- CWE-251: None
- CWE-786: Access of Memory Location Before Start of Buffer
- CWE-787: Out-of-bounds Write
- CWE-788: Access of Memory Location After End of Buffer
- CWE-805: Buffer Access with Incorrect Length Value
- CWE-806: Buffer Access Using Size of Source Buffer
Security training
Application security training materials provided by Secure Code Warrior.
Extension
This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.