ABV.ITERATOR

Buffer overflow-array index out of bounds in an iteration

ABV.ITERATOR checks for out-of-bounds access to an array element using a pointer in an iteration through the array. The checker flags any code in which a buffer overflow could occur as a result of this situation.

Vulnerability and risk

Consequences of buffer overflow include valid data being overwritten and execution of arbitrary and potentially malicious code.

Vulnerable code example 1

1   int example1()
2   {
3       int a[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
4       int *p;
5       for (p = a ; p < a + 10; p++)
6       {
7           if (bar(*p) < 5)
8               break;
9       }
10       return *p;   // ABV.ITERATOR
11   }

Klocwork produces a buffer overflow report for line 10 indicating that pointer 'p' is used when its value may exceed the bounds of array 'a'. Pointer 'p' is assigned to 'a' and iterated at line 5. In this case, the iteration may cause array 'a' to overrun its limit of 10.

Fixed code example 1

1   int example1()
2   {
3       int a[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
4       int *p;
5       for (p = a ; p < a + 10; p++)
6       {
7           if (bar(*p) < 5)
8               break;
9       }
10      if (p < a + 10)
11        return *p;
12      return 0;
13   }

In the fixed code example, a check is made at line 10 to ensure that array 'a' can't overflow.

Vulnerable code example 2

1   int example2(int x)
2   {
3       int a[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
4       int *p = bar (a, x); //function returns a pointer to some element in "a"
5       if (p < a + 5)
6            return *p;
7   
8       return p[5]; // DEFECT: p[5] points to a[11] or beyond 
9   }

Klocwork produces an ABV.ITERATOR report at line 8, indicating that array 'a' will overflow after the iteration.

Fixed code example 2

1   int example2(int x)
2   {
3       int a[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9};
4       int *p = bar (a, x); //function returns a pointer to some element in "a"
5       if (p >= a + 5)
6            return *p;
7   
8       return p[5];  
9   }

In the fixed code example, the syntax is corrected in line 5, and the buffer overflow is avoided.

Related checkers

• ABV.ANY_SIZE_ARRAY
• ABV.GENERAL
• ABV.ITERATOR
• ABV.MEMBER
• ABV.TAINTED
• NNTS.MIGHT
• NNTS.TAINTED
• SV.STRBO.BOUND_SPRINTF
• SV.STRBO.BOUND_COPY.OVERFLOW
• SV.STRBO.BOUND_COPY.UNTERM
• SV.STRBO.UNBOUND_COPY
• SV.STRBO.UNBOUND_SPRINTF

External guidance

• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
• CWE-805: Buffer Access with Incorrect Length Value
• 2011 CWE/SANS Top 25 Most Dangerous Programming Errors
• ARR30-C: Do not form or use out of bounds pointers or array subscripts
• STIG-ID:APP3590.1 Application is vulnerable to buffer overflows

Extension

This checker can be extended through the Klocwork knowledge base. See Tuning C/C++ analysis for more information.