SV.INT_OVF

Tainted data may lead to Integer Overflow

This error appears when tainted data can be traced to arithmetical operations.

As of release 2023.2, this checker supports Jakarta EE.

Vulnerability and risk

Integer overflow may fail some important security checks, which can lead to privilege escalation, or can lead to denial-of-service (DoS) attacks. For example, a loop counter can lead to infinitive or very long loops, or to excessive memory allocation, if large numbers of objects are requested. All operations can lead to problems, not just addition and multiplication.

Klocwork security vulnerability (SV) checkers identify calls that create potentially dangerous data; these calls are considered unsafe sources. An unsafe source can be any data provided by the user, since the user could be an attacker or has the potential for introducing human error.

Mitigation and prevention

Make sure any int values you process are in the correct range and, if they are expecting size values, always check that the values are not negative and check again the allowable top limit.

Vulnerable code example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
   import javax.servlet.http.*;
    protected void doPost(HttpServletRequest req,
        HttpServletResponse resp) throws ServletException,
        IOException {
      String amount = req.getParameter("creditAmount");
      int value = Integer.parseInt(amount);
      int prevCreditBalance = getCreditBalance(req
          .getParameter("user"));
      // maximum credit is 5000
      if (prevCreditBalance + value > 5000) {
        // transaction
        dosomething();
      }
      // ...
    }

Klocwork produces the following report:

com/klocwork/examples/Example_117.java:10:Severe(2): SV.INT_OVF: Tainted data value from getParameter().$RET used in arithmetic operation '+' can cause integer overflow or unexpected result -> getParameter().$RET at com/klocwork/examples/Example_117.java:5 -> amount at com/klocwork/examples/Example_117.java:5 10 -> parseInt().$RET at com/klocwork/examples/Example_117.java:6 -> value at com/klocwork/examples/Example_117.java:6 10

Vulnerable code example 2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
   import jakarta.servlet.http.*;
    protected void doPost(HttpServletRequest req,
        HttpServletResponse resp) throws ServletException,
        IOException {
      String amount = req.getParameter("creditAmount");
      int value = Integer.parseInt(amount);
      int prevCreditBalance = getCreditBalance(req
          .getParameter("user"));
      // maximum credit is 5000
      if (prevCreditBalance + value > 5000) {
        // transaction
        dosomething();
      }
      // ...
    }

Klocwork produces the following report:

com/klocwork/examples/Example_117.java:10:Severe(2): SV.INT_OVF: Tainted data value from getParameter().$RET used in arithmetic operation '+' can cause integer overflow or unexpected result -> getParameter().$RET at com/klocwork/examples/Example_117.java:5 -> amount at com/klocwork/examples/Example_117.java:5 10 -> parseInt().$RET at com/klocwork/examples/Example_117.java:6 -> value at com/klocwork/examples/Example_117.java:6 10

External guidance

• CERT MSC05-J: Do not exhaust heap space
• CERT NUM00-J: Detect or prevent integer overflow
• CWE-190: Integer Overflow or Wraparound
• STIG-ID:APP3550 Application is vulnerable to integer overflows

Security training

Application security training materials provided by Secure Code Warrior.

• Integer Overflow Training Video - Test your skills with a training example

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning Java analysis for more information.