CS.SV.TAINTED.LOOP_BOUND.RESOURCE

Resource allocation in a loop whose exit condition is controlled by tainted data

Whenever input is accepted from the user or the outside environment, it should be validated for type, length, format, and range before it is used. Until properly validated, the data is said to be tainted. The CS.SV.TAINTED family of checkers looks for the use of tainted data in code.

The CS.SV.TAINTED.LOOP_BOUND.RESOURCE checker flags code where an unvalidated argument is used as a loop boundary while any resource, managed or unmanaged, is allocated within the loop.

While some resources might be quickly disposed of with the garbage collector if no references to it remain at the end of the loop body, the timing of such disposal is not guaranteed. Moreover, some allocated resources can have an increased lifespan that can result in excessive resource consumption, potentially leading to the exhaustion of resources and program failure. This behavior can be exploited by the potential attackers when exit conditions from such loops are controlled by the external input.

Vulnerability and risk

When input to code isn't validated properly, an attacker can craft the input in a form that isn't expected by the application. The receipt of unintended input can result in altered control flow, arbitrary resource control, and arbitrary code execution. With this sort of opportunity, an attacker could

  • provide unexpected values and cause a program crash
  • cause excessive resource consumption
  • read confidential data
  • use malicious input to modify data or alter control flow
  • execute arbitrary commands

Vulnerable code example 1

1   using System;
2   using System.IO;
3   namespace TaintedResource
4   {
5     class TestTaintedResource
6     {
7       const string fileName = "File.dat";
8   
9       public static void TaintedResourceExample1()
10      {
11              int num = getTaintedData();
12        for(int i = 0; i < num; i++)
13        {
14           Test obj = new Test();     // CS.SV.TAINTED.LOOP_BOUND.RESOURCE
15        }
16      }
17  
18      public static int getTaintedData()
19      {
20        try
21        {
22          using (BinaryReader br = new BinaryReader(File.Open(fileName, FileMode.Open)))
23          {
24            return(br.ReadInt32());
25          }
26        }
27        catch (Exception e)
28        {
29          Console.WriteLine(e);
30        }
31      }
32    }
33    class Test
34    {
35      ---
36      ---
37    }
38  }

Klocwork reports a CS.SV.TAINTED.LOOP_BOUND.RESOURCE defect a line 14, indicating that "Unvalidated integer 'num' received through a call to 'getTaintedData' at line 11 can be used in a loop condition at line 12. An object of type 'Test' is allocated inside a potentially infinite loop that can cause uncontrolled limited resource consumption". In this case, potentially tainted data is used as a loop boundary, which could be exploited by a malicious user.

Fixed code example 1

1   using System;
2   using System.IO;
3   namespace TaintedResource
4   {
5     class TestTaintedResource
6     {
7       const string fileName = "File.dat";
8   
9       public static void TaintedResourceExample1()
10      {
11              int num = getTaintedData();
12        if (num > MAX_ALLOCATION_QUOTA_IN_ONE_GO)
13        {
14           return;
15        }
16        for(int i = 0; i < num; i++)
17        {
18           Test obj = new Test();
19        }
20      }
21  
22      public static int getTaintedData()
23      {
24        try
25        {
26          using (BinaryReader br = new BinaryReader(File.Open(fileName, FileMode.Open)))
27          {
28            return(br.ReadInt32());
29          }
30        }
31        catch (Exception e)
32        {
33          Console.WriteLine(e);
34        }
35      }
36    }
37    class Test
38    {
39      ---
40      ---
41    }
42  }

Klocwork no longer reports a defect, because the integer 'num' is checked at line 12 before it's used as a loop condition.

Vulnerable code example 2

1   using System;
2   using System.IO;
3   namespace TaintedResource
4   {
5     class TestTaintedResource
6     {
7       const string fileName = "File.dat";
8   
9       public static void TaintedResourceExample1()
10      {
11              int num = getTaintedData();
12        for(int i = 0; i < num; i++)
13        {
14           Test obj = new { X=1, Y=2, ---};     // CS.SV.TAINTED.LOOP_BOUND.RESOURCE
15        }
16      }
17  
18      public static int getTaintedData()
19      {
20        try
21        {
22          using (BinaryReader br = new BinaryReader(File.Open(fileName, FileMode.Open)))
23          {
24            return(br.ReadInt32());
25          }
26        }
27        catch (Exception e)
28        {
29          Console.WriteLine(e);
30        }
31      }
32    }
33    class Test
34    {
35      ---
36      ---
37    }
38  }

Klocwork reports a CS.SV.TAINTED.LOOP_BOUND.RESOURCE defect at line 14, indicating that "Unvalidated integer 'num' received through a call to 'getTaintedData' at line 11 can be used in a loop condition at line 12. An object of type '<anonymous type>' is allocated inside a potentially infinite loop that can cause uncontrolled limited resource consumption". In this case, potentially tainted data is used as a loop boundary, which could be exploited by a malicious user.

Fixed code example 2

1   using System;
2   using System.IO;
3   namespace TaintedResource
4   {
5     class TestTaintedResource
6     {
7       const string fileName = "File.dat";
8   
9       public static void TaintedResourceExample1()
10      {
11              int num = getTaintedData();
12        if (num > MAX_ALLOCATION_QUOTA_IN_ONE_GO)
13        {
14           return;
15        }
16        for(int i = 0; i < num; i++)
17        {
18           Test obj = new { X=1, Y=2, ---};
19        }
20      }
21  
22      public static int getTaintedData()
23      {
24        try
25        {
26          using (BinaryReader br = new BinaryReader(File.Open(fileName, FileMode.Open)))
27          {
28            return(br.ReadInt32());
29          }
30        }
31        catch (Exception e)
32        {
33          Console.WriteLine(e);
34        }
35      }
36    }
37    class Test
38    {
39      ---
40      ---
41    }
42  }

Klocwork no longer reports a defect because the integer 'num' is checked at line 12 before it is used as a loop exit condition.