RABV.CHECKAccessing array value beyond the array’s sizeThe checker looks for cases of accessing the array before the index is checked for being within array boundaries. Vulnerability and riskIf the array is accessed by an index that is beyond the array’s size, it might corrupt data, lead to misbehavior, and/or crash. Vulnerable code example 1
1 // some function returning an index
2 int get_index();
3
4 void main() {
5 const int SIZE = 10;
6
7 int arr[SIZE];
8 int index = get_index();
9
10 arr[index] = 0;
11
12 if (index >= SIZE) {
13 return;
14 }
15 }
Klocwork reports a defect for line 10 indicating that the index is used for accessing the array before the index is checked for validity at line 12. Fixed code example 1
1 // some function returning an index
2 int get_index();
3
4 void main() {
5 const int SIZE = 10;
6
7 int arr[SIZE];
8 int index = get_index();
9
10 if (index >= SIZE) {
11 return;
12 }
13
14 arr[index] = 0;
15 }
The problem from the previous snippet is fixed; the index is checked before it is used for accessing the array. Vulnerable code example 2
1 int get_index();
2
3 void set(int* arr, int index) {
4 arr[index] = 0;
5 }
6
7 void main() {
8 int SIZE = 10;
9 int arr[SIZE];
10 int index = get_index();
11
12 set(arr, index);
13
14 if (index >= SIZE) {
15 return;
16 }
17 }
Similar to example 1, but the array is not accessed in the same function “main”, instead being passed to another function “set” as a parameter. Klocwork reports a defect for line 12 indicating that the index is used for accessing the array inside the function “set” before it is checked for validity at line 14. Fixed code example 2
1 int get_index();
2
3 void set(int* arr, int index) {
4 arr[index] = 0;
5 }
6
7 void main() {
8 int SIZE = 10;
9 int arr[SIZE];
10 int index = get_index();
11
12 if (index >= SIZE) {
13 return;
14 }
15
16 set(arr, index);
17 }
The defect is fixed in the same manner; the index is now checked for validity at line 12 before it is passed to the function “set” at line 16. Related checkers |