SEC-BUFFER-tainted-index
In this section:
Synopsis
An array is accessed with an index derived from user input.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
An array is accessed with an index that is unchecked and derived from user input. An attacker could create input that might cause a buffer overrun. Such an attack might cause an application crash, corruption of data, or exposure of sensitive information in memory. All input from users should be bounds-checked before it is used to access an array.
Coding standards
- CERT INT04-C
Enforce limits on integer values originating from untrusted sources
- CWE 129
Improper Validation of Array Index
- CWE 126
Buffer Over-read
Code examples
The following code example fails the check and will give a warning:
#include <stdio.h>
#include <string.h>
int *main(int argc, char *argv[]) {
int *options[10];
char buffer[1024];
int index, success, socket;
success = recv(socket, buffer, sizeof(buffer) - 1, 0);
if (!success) return 0;
sscanf(buffer, "%d", &index);
return options[index]; /* Index could be any integer */
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
#include <string.h>
int *main(int argc, char *argv[]) {
int *options[10];
char buffer[1024];
int index, success, socket;
success = recv(socket, buffer, sizeof(buffer) - 1, 0);
if (!success) return 0;
sscanf(buffer, "%d", &index);
if (index >= 0 && index < 10)
return options[index]; /* Index is between 0 and 9 */
}