Synopsis

A user-controlled variable is used as an offset to a pointer without proper bounds checking.

Enabled by default

Yes

Severity/Certainty

High/Medium

Full description

In an arithmetic operation involving a pointer, a variable is used that is under user control. Without checking the bounds of this variable, an attacker could send a value to the application that might cause a buffer overrun, corruption of data, or exposure of sensitive information stored in memory. The bounds of all tainted variables must be properly checked before used in pointer arithmetic.

Coding standards

This check does not correspond to any coding standard rules.

Code examples

The following code example fails the check and will give a warning:

#include <stdio.h>
#include <stdlib.h>

void example(int *p) {
  int a = atoi(getenv("TEST"));
  p + a;
}

The following code example passes the check and will not give a warning about this issue:

#include <stdio.h>
#include <stdlib.h>

void example(int *p) {
  int a = atoi(getenv("TEST"));
  if (a > 0 && a < 10)
    p + a;
}