ABV.STACK

Buffer overflow-local array index out of bounds

ABV.STACK is an inter-procedural checker that looks for buffer overflow inside a called function. Arguments passed to the function control which elements of the buffer are accessed. This checker finds defects when the buffer is not passed to the function, but is usually a local variable inside the function or a global variable.

Vulnerability and risk

Indexing into a local array outside of its bounds may lead to application instability, or with a carefully constructed attack, data disclosure vulnerabilities, code injection, or other vulnerabilities.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
  void foobar(int x)
  {
      int local_array[7];
      local_array[x] = 0;
  }
  
  int main() {
      foobar(15);
      return 0;
 }

In this example, function 'foobar' gets a value that is used in an index to access 'local_array'. Klocwork produces an issue report for line 8 indicating that calling method 'foobar' with a parameter of 15 exceeds the valid values, which are 0..7. In this case, the checker has found the defect in a buffer found inside the function 'foobar'.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
  void foobar(int x)
  {
      int local_array[7];
      // verify the parameter is in range
      if (x >= 0 && x < 7)
      {
          local_array[x] = 0;
      }
  }
 
 int main() {
     foobar(15);
     return 0;
 }

In the fixed code example, the value of parameter 'x' is validated at line 5 to before it's used to index into local array 'local_array' at line 7. In other cases, the best fix for similar code could be a value check in a calling function.

Related checkers

• ABV.ANY_SIZE_ARRAY
• ABV.GENERAL
• ABV.ITERATOR
• ABV.MEMBER
• ABV.STACK
• ABV.TAINTED
• ABV.UNICODE.BOUND_MAP
• ABV.UNICODE.FAILED_MAP
• ABV.UNICODE.NNTS_MAP
• ABV.UNICODE.SELF_MAP
• ABV.UNKNOWN_SIZE

External guidance

• CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-121: Stack-based Buffer Overflow
• CWE-124: Buffer Underwrite ('Buffer Underflow')
• CWE-125: Out-of-bounds Read
• CWE-787: Out-of-bounds Write
• CWE-788: Access of Memory Location After End of Buffer
• CWE-805: Buffer Access with Incorrect Length Value
• CWE-806: Buffer Access Using Size of Source Buffer
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example
• Stack Overflow Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.