Tainted allocation size

A tainted value is used as a size in a memory allocation.

A value is considered "tainted" if it comes into the program from outside, for example, through an input operation. Tainted values should be regarded with suspicion, because security attacks often involve a malicious user finding a way to get a strange value into a program entry point. In this case, the tainted value is used as an allocation size. This could potentially allow a malicious user to provoke a program to allocate a very large amount of memory. This could destabilize the application by creating a low memory condition. It could also provoke a null pointer dereference if calls to allocate storage do not check for failure (null result).

The checker removes the tainted attribute on a value if it sees evidence that the value is being examined before it is used.

ID

Observation

Description

1

Memory read

The place the tainted value was used

2

Call site

The call from which the tainted value was obtained

Examples


extern DoWork(int *p);

int main(int argc, char **argv)
{
    size_t size;
    int *p;

    size = atoi(argv[1]);

    // size is unvalidated value
    p = (int*) malloc(size);
    
    DoWork(p);
}
        

Copyright © 2010, Intel Corporation. All rights reserved.