ABV.TAINTED

Buffer overflow-array index from tainted input out of bounds

ABV.TAINTED checks for buffer overflows caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.

Vulnerability and risk

Buffer overflows are frequently the source of application attacks and exploits.

Mitigation and prevention

To avoid the possibility of these attacks from tainted input

• make sure you insert a validation condition before the line in which the overflow can occur
• consider all the potentially relevant input properties of the input, including length, type of input, full range of acceptable values, missing or extra inputs, syntax, consistency in related fields, and conformance to business rules
• make sure the minimum as well as maximum of a range is verified, so that negative values cannot be mistakenly accepted

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  #include <stdio.h>
  void wrapped_read(char* buf, int count) {
     fgets(buf, count, stdin);
  }
  
  void TaintedAccess()
  {
     char buf1[12];
     char buf2[12];
 
    char dst[16];
 
    wrapped_read(buf1, sizeof(buf1));
    wrapped_read(buf2, sizeof(buf2));
    sprintf(dst, "%s-%s\n", buf1, buf2);
 }

Klocwork produces a buffer overflow report for line 15 indicating that unvalidated input is used as an array index to 'dst'. Array 'dst' is defined with a size of 16, but lines 13 and 14 may produce an input of 22 characters, plus terminating nulls. In this case, the input data hasn't been checked in relation to the buffer size, so it's considered to be tainted.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
  #include <stdio.h>
  void wrapped_read(char* buf, int count) {
     fgets(buf, count, stdin);
  }
  
  void TaintedAccess()
  {
     char buf1[12];
     char buf2[12];
 
    char dst[25];
 
    wrapped_read(buf1, sizeof(buf1));
    wrapped_read(buf2, sizeof(buf2));
    sprintf(dst, "%s-%s\n", buf1, buf2);
 }

In the fixed code example, the size for 'dst' has been correctly defined as 25.

Related checkers

• ABV.ANY_SIZE_ARRAY
• ABV.GENERAL
• ABV.ITERATOR
• ABV.MEMBER
• ABV.TAINTED
• NNTS.MIGHT
• NNTS.TAINTED
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.BOUND_COPY.OVERFLOW
• SV.STRBO.BOUND_COPY.UNTERM
• SV.STRBO.UNBOUND_COPY
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CERT ARR30-C: Do not form or use out-of-bounds pointers or array subscripts
• CWE-20: Improper Input Validation
• CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-121: Stack-based Buffer Overflow
• CWE-122: Heap-based Buffer Overflow
• CWE-124: Buffer Underwrite ('Buffer Underflow')
• CWE-125: Out-of-bounds Read
• CWE-129: Improper Validation of Array Index
• CWE-787: Out-of-bounds Write
• CWE-788: Access of Memory Location After End of Buffer
• CWE-805: Buffer Access with Incorrect Length Value
• CWE-806: Buffer Access Using Size of Source Buffer
• CWE-896: None
• OWASP A3:2021 Injection
• STIG-ID: APP3510 Insufficient input validation
• STIG-ID: APP3590.1 Application is vulnerable to buffer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Resource Injection Training Video - Test your skills with a training example
• Stack Overflow Training Video - Test your skills with a training example
• Heap Overflow Training Video - Test your skills with a training example
• Buffer Overflow Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.