CWE Rule 606

Unchecked Input for Loop Condition

Since R2023b

Description

Rule Description

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive looping.

Polyspace Implementation

The rule checker checks for Loop bounded with tainted value.

Examples

expand all

Loop bounded with tainted value

Issue

This issue occurs when the loop condition or a subexpression of the loop condition is controlled by tainted values. Polyspace^® assumes that data from external sources are tainted. See Sources of Tainting in a Polyspace Analysis.

Risk

Using a tainted value to control a loop can result in an infinite loop or a prematurely terminated loop. Attackers can use this vulnerability to terminate your program or cause other unintended behavior.

Fix

Before starting the loop, validate unknown boundary and iterator values by validating their low bounds and high bounds. Execute the loop only when both the lower bound and upper bound of the tainted values are validated. Explicitly check that both the lower and upper bound of the tainted value is acceptable. Alternatively, saturate or clamp the tainted value.

Extend Checker

To consider any data that does not originate in the current scope of Polyspace analysis as tainted, use the command line option -consider-analysis-perimeter-as-trust-boundary.

Example — Loop Boundary From User Input

#include<stdio.h>
enum {
    SIZE10  =  10,
    SIZE100 = 100,
    SIZE128 = 128
};

int taintedloopboundary(void) {
    int count;
    scanf("%d", &count);
    int res = 0;
    for (int i=0 ; i < count; ++i) {//Noncompliant //Noncompliant
        res += i;
    }
    return res;
}

In this example, the function uses a user input to loop count times. count could be any number because the value is not checked before starting the for loop.

Correction: Clamp Tainted Loop Control

One possible correction is to clamp the tainted loop control. To validate the tainted loop variable count, this example limits count to a minimum value and a maximum value by using inline functions min and max. Regardless of the user input, the value of count remains within a known range.

#include<stdio.h>
#include<algorithm>
#define MIN 50
#define MAX 128
static  inline int max(int a, int b) { return a > b ? a : b;}
static inline int min(int a, int b) { return a < b ? a : b; }

int taintedloopboundary(void) {
	int count;
	scanf("%d", &count);
	int res = 0;
	count = max(MIN, min(count, MAX));
	for (int i=0 ; i<count ; ++i) { 
		res += i;
	} 
	return res;
}

Correction — Check Tainted Loop Control

Another possible correction is to check the low bound and the high bound of the tainted loop boundary variable before starting the for loop. This example checks the low and high bounds of count and executes the loop only when count is between 0 and 127.

#include<stdio.h>

enum {
    SIZE10  =  10,
    SIZE100 = 100,
    SIZE128 = 128
};


int taintedloopboundary(void) {
    int count;
    scanf("%d", &count);
    int res = 0;

    if (count>=0 && count<SIZE128) {
        for (int i=0 ; i<count ; ++i) { 
            res += i;
        }
    }
    return res;
}

Check Information

Category: Data Validation Issues

Version History

Introduced in R2023b