Static Analysis Problem Type Reference
A tainted value is used as a loop bound.
A value is considered "tainted" if it comes into the program from outside, for example, through an input operation. Tainted values should be regarded with suspicion, because security attacks often involve a malicious user finding a way to get a strange value into a program entry point. In this case, the tainted value is used as an loop bound. This could potentially allow a malicious user to provoke a program to execute a very large number of loop iterations. At the least, this could provide a way to deny service to the application by consuming lots of time.
The checker removes the tainted attribute on a value if it sees evidence that the value is being examined before it is used.
|
ID |
Code Location |
Description |
|---|---|---|
|
1 |
Memory read |
The place where the tainted value was used |
|
2 |
Call site |
The call from which the tainted value was obtained |
#include <stdio.h>
int main(int argc, char **argv)
{
int upper, i;
upper = atoi(argv[1]);
// upper is unvalidated value so
// this loop could run a LONG time
for (i = 0; i < upper; i++) {
printf("i = %d\n", i);
}
}