Use of tainted pointer

Pointer from an unsecure source may be NULL or point to unknown memory

expand all in page

Description

This defect occurs when:

  • Tainted NULL pointer — the pointer obtained from an unsecure source is not validated against NULL.

  • Tainted size pointer — the size of the memory zone that an unsecure pointer points to is not validated.

Note

On a single pointer, your code can have instances of Use of tainted pointer, Pointer dereference with tainted offset, and Tainted NULL or non-null-terminated string. Bug Finder raises only the first tainted pointer defect that it finds.

To consider all input from outside the current analysis perimeter as unsecure, use -consider-analysis-perimeter-as-trust-boundary.

Risk

An attacker can give your program a pointer that points to unexpected memory locations. If the pointer is dereferenced to write, the attacker can:

  • Modify the state variables of a critical program.

  • Cause your program to crash.

  • Execute unwanted code.

If the pointer is dereferenced to read, the attacker can:

  • Read sensitive data.

  • Cause your program to crash.

  • Modify a program variable to an unexpected value.

Fix

Avoid use of pointers from external sources.

Alternatively, if you trust the external source, sanitize the pointer before dereference. In a separate sanitization function:

  • Check that the pointer is not NULL.

  • Check the size of the memory location (if possible). This second check validates whether the size of the data the pointer points to matches the size your program expects.

The defect still appears in the body of the sanitization function. However, if you use a sanitization function, instead of several occurrences, the defect appears only once. You can justify the defect and hide it in later reviews by using code annotations. See Address Polyspace Results Through Bug Fixes or Justifications.

Examples

expand all

#include<stdlib.h>
void taintedptr(void) {
	char *p = getenv("ARG");
	char x = *(p+10);  
}

In this example, the pointer *p points to an string of unknown size. During the dereferencing operation, the pointer might be null or point to unknown memory, which can result in segmentation fault.

Correction — Check Pointer

One possible correction is to sanitize the pointer before using it. This example checks whether the pointer is nullptr before it is dereferenced.

#include<stdlib.h>
#include <string.h> 
void taintedptr(void) {
	char *p = getenv("ARG");
	if(*p!=NULL && strlen(p)>10)
	{
	char x = *(p+10);
	}
}

Result Information

Group: Tainted Data
Language: C | C++
Default: Off
Command-Line Syntax: TAINTED_PTR
Impact: Low
CWE ID: 690, 822

See Also

| |

Topics

Introduced in R2015b

Polyspace Bug Finder Documentation

Support