SEC-BUFFER-tainted-alloc-size
Synopsis
A user is able to control the amount of memory used in an allocation.
Enabled by default
Yes
Severity/Certainty
High/Medium
Full description
The size of an allocation is derived from user input. User input should be bounds-checked before it is used as an argument to a memory allocation function. If the size being passed to an allocation function is not checked properly, an attacker might cause an application crash via an out-of-memory condition, or cause the application to consume large amounts of memory on a system. Any size derived from user input that is passed to an allocation function should be checked to make sure it is not too large.
Coding standards
- CERT INT04-C
Enforce limits on integer values originating from untrusted sources
- CWE 789
Uncontrolled Memory Allocation
- CWE 770
Allocation of Resources Without Limits or Throttling
- CWE 20
Improper Input Validation
Code examples
The following code example fails the check and will give a warning:
#include <stdio.h>
#include <string.h>
int main(char* argc, char** argv) {
int num;
char buffer[50];
char *other_string = "Hello World!";
gets(buffer);
sscanf(buffer, "%d", &num);
if (num > 100) return -1;
char *string = (char *)malloc(num);
strcpy(string, other_string);
}
The following code example passes the check and will not give a warning about this issue:
#include <stdio.h>
#include <string.h>
int main(char* argc, char** argv) {
int num;
char buffer[50];
char *other_string = "Hello World!";
gets(buffer);
sscanf(buffer, "%d", &num);
if (num < strlen(other_string) || num > 100) return -1;
char *string = (char *)malloc(num);
strcpy(string, other_string);
}