CS.SV.TAINTED.CALL.LOOP_BOUND
Unvalidated input used as a loop boundary by function call
Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The CS.SV.TAINTED family of checkers looks for the use of tainted data in code.
The CS.SV.TAINTED.CALL.LOOP_BOUND error is reported when a loop variable is passed as an argument to another function and used as a loop boundary.
Vulnerability and risk
When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could
- provide unexpected values and cause a program crash
- cause excessive resource consumption
- read confidential data
- use malicious input to modify data or alter control flow
- execute arbitrary commands
Mitigation and prevention
To avoid tainted input errors:
- understand all the potential areas in which untrusted inputs could enter your software: parameters or arguments, cookies, input read from the network, environment variables, reverse DNS lookups, query results, filenames, databases, and any external systems
- use a whitelist or 'known good' policy for inputs, rather than relying only on a blacklist or 'known bad' strategy
- make sure all relevant properties of the input are validated, including length, type of input, ranges, missing or extra inputs, syntax, and consistency
- if there are security checks on the client side of an applications, make sure they're duplicated on the server side
- if the application combines inputs from multiple sources, perform the validation after the sources have been combined
Vulnerable code example
namespace myNamespace
{
class RunLoopByCalling
{
public static void LoopRun(int some_value)
{
for (int counter = MIN_VALUE; counter < some_value; counter++)
{
Console.WriteLine("Code executing {0} time", counter);
}
}
public static void TryLoopConditionInCallingMethod()
{
int input_value = Console.Read();
LoopRun(input_value);
}
}
}
Klocwork produces an issue report at line 16 indicating that unvalidated integer 'input_value', received through a call to 'Console.Read()' at line 15, can be used in the loop exit condition at line 7 when it’s passed as an argument to the function call at line 16. In this case, the CS.SV.TAINTED.CALL.LOOP_BOUND checker flags potentially tainted data used as a loop boundary, which could be exploited by a malicious user.
Fixed code example
namespace myNamespace
{
class RunLoopByCalling
{
public static void LoopRun(int some_value)
{
for (int counter = MIN_VALUE; counter < some_value; counter++)
{
Console.WriteLine("Code executing {0} time", counter);
}
}
public static void TryLoopConditionInCallingMethod()
{
int input_value = Console.Read();
// Validate input before using it in a memory allocation
if (input_value > 0 && input_value <= MAX_BUFFER_SIZE)
{
LoopRun(input_value);
}
}
}
}
In this example, the externally controlled data is used only after verification at line 17, and thus the code is no longer vulnerable to the excessive resource consumption attacks.