ABV.MEMBER

Buffer overflow-array index out of bounds in a structure

ABV.MEMBER checks for array bounds violations in a class or structure. The checker flags any code in which a buffer overflow will occur as a result of this situation. This checker has been extracted from checker ABV.GENERAL to find these specific buffer overflow situations separately, in case you habitually overflow the structure in your code, in which case you would want to turn this checker off.

Vulnerability and risk

Consequences of buffer overflow include valid data being overwritten and execution of arbitrary and potentially malicious code.

Vulnerable code example

1
2
3
4
5
6
7
8
9
10
11
   typedef struct Data {
     int kind;
     char name[8];
     char ext[3];
   } Data;

   void resetDefaults(Data *d) 
   {
     d->kind = 0;
    memset(d->name, 0, 11);
   }

Klocwork produces an ABV.MEMBER report at line 10, indicating that array 'd->name' will overflow. If the design intention is to zero the name and extension, then this code isn't a problem. Otherwise, it's best to make the change shown in the following example.

Fixed code example

1
2
3
4
5
6
7
8
9
10
11
12
   typedef struct Data {
     int kind;
     char name[8];
     char ext[3];
   } Data;

   void resetDefaults(Data *d) 
   {
     d->kind = 0;
    memset(d->name, 0, 8);
    memset(d->ext, 0, 3);
  }

In the fixed code example, the size of the array has been changed so that array 'd->name' isn't used as an alias for both 'name' and 'ext'.

Related checkers

• ABV.ANY_SIZE_ARRAY
• ABV.GENERAL
• ABV.ITERATOR
• ABV.MEMBER
• ABV.TAINTED
• NNTS.MIGHT
• NNTS.TAINTED
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.BOUND_COPY.OVERFLOW
• SV.STRBO.BOUND_COPY.UNTERM
• SV.STRBO.UNBOUND_COPY
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CERT ARR00-C: Understand how arrays work
• CERT ENV01-C: Do not make assumptions about the size of an environment variable
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-124: Buffer Underwrite ('Buffer Underflow')
• CWE-125: Out-of-bounds Read
• CWE-787: Out-of-bounds Write
• CWE-806: Buffer Access Using Size of Source Buffer
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Buffer Overflow Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.