ABV.TAINTED

Buffer overflow-array index from tainted input out of bounds

ABV.TAINTED checks for buffer overflows caused by unvalidated, or tainted, input data originating from the user or external devices. This checker flags execution paths through the code in which input data involved in a buffer overflow was not validated.

Vulnerability and risk

Buffer overflows are frequently the source of application attacks and exploits.

Mitigation and prevention

To avoid the possibility of these attacks from tainted input

  • make sure you insert a validation condition before the line in which the overflow can occur
  • consider all the potentially relevant input properties of the input, including length, type of input, full range of acceptable values, missing or extra inputs, syntax, consistency in related fields, and conformance to business rules
  • make sure the minimum as well as maximum of a range is verified, so that negative values cannot be mistakenly accepted

Vulnerable code example

Copy
  #include <stdio.h>
  void wrapped_read(char* buf, int count) {
     fgets(buf, count, stdin);
  }
  
  void TaintedAccess()
  {
     char buf1[12];
     char buf2[12];
 
    char dst[16];
 
    wrapped_read(buf1, sizeof(buf1));
    wrapped_read(buf2, sizeof(buf2));
    sprintf(dst, "%s-%s\n", buf1, buf2);
 }

Klocwork produces a buffer overflow report for line 15 indicating that unvalidated input is used as an array index to 'dst'. Array 'dst' is defined with a size of 16, but lines 13 and 14 may produce an input of 22 characters, plus terminating nulls. In this case, the input data hasn't been checked in relation to the buffer size, so it's considered to be tainted.

Fixed code example

Copy
  #include <stdio.h>
  void wrapped_read(char* buf, int count) {
     fgets(buf, count, stdin);
  }
  
  void TaintedAccess()
  {
     char buf1[12];
     char buf2[12];
 
    char dst[25];
 
    wrapped_read(buf1, sizeof(buf1));
    wrapped_read(buf2, sizeof(buf2));
    sprintf(dst, "%s-%s\n", buf1, buf2);
 }

                                                

In the fixed code example, the size for 'dst' has been correctly defined as 25.

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.