SEC-LOOP-tainted-bound
In this section:
Synopsis
A user-controlled value is used as part of a loop condidition.
Enabled by default
Yes
Severity/Certainty
Medium/Medium
Full description
A user-controlled value is used as part of a loop condidition. Unless the bounds of the value used in the condition is checked properly, an attacker might control the number of times a loop executes. This might cause integer overflows or possibly be used in denial of service attacks. User input used in a loop condition must have its upper and lower bounds checked before used.
Coding standards
- CWE 606
Unchecked Input for Loop Condition
Code examples
The following code example fails the check and will give a warning:
void example(void) {
int a;
int i = 0;
scanf("%d", &a);
while (i < a) {
i++;
}
}
The following code example passes the check and will not give a warning about this issue:
void example(void) {
int a;
int i = 0;
scanf("%d", &a);
if (a > 0 && a < 10) {
while (i < a) {
i++;
}
}
}