SEC-BUFFER-tainted-copy-length
Synopsis
A tainted value is used as the size of the memory copied from one buffer to another.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
A value derived from user input is used as the size of the memory when contents is copied from one buffer to another. An attacker could supply a value that causes a buffer overrun, which might expose sensitive data stored in memory or cause an application crash. Buffer sizes taken from user input should be properly bounds-tested before they are used.
Coding standards
- CERT INT04-C
Enforce limits on integer values originating from untrusted sources
- CWE 126
Buffer Over-read
- CWE 120
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Code examples
The following code example fails the check and will give a warning:
#include <stdio.h>
int main(int argc, char **argv) {
char dest[50], src[50];
int size = getchar();
int size2 = 10;
int size3 = 20;
int size4 = 30;
int i;
for (i = 0; i < 4; i++) {
memcpy(dest, src, size4);
size4 = size3;
size3 = size2;
size2 = size;
}
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
int main(int argc, char **argv) {
char dest[50], src[50];
int size = getchar();
int size2 = 10;
int size3 = 20;
int size4 = 30;
int i;
for (i = 0; i < 4; i++) {
if (size4 >= 0 && size4 <= 50)
memcpy(dest, src, size4);
size4 = size3;
size3 = size2;
size2 = size;
}
}