Use of tainted pointer

Pointer from an unsecure source may be NULL or point to unknown memory

Description

This defect occurs when:

Tainted NULL pointer — the pointer obtained from an unsecure source is not validated against NULL.
Tainted size pointer — the size of the memory zone that an unsecure pointer points to is not validated.

Note

On a single pointer, your code can have instances of Use of tainted pointer, Pointer dereference with tainted offset, and Tainted NULL or non-null-terminated string. Bug Finder raises only the first tainted pointer defect that it finds.

Risk

An attacker can give your program a pointer that points to unexpected memory locations. If the pointer is dereferenced to write, the attacker can:

Modify the state variables of a critical program.
Cause your program to crash.
Execute unwanted code.

If the pointer is dereferenced to read, the attacker can:

Read sensitive data.
Cause your program to crash.
Modify a program variable to an unexpected value.

Fix

Avoid use of pointers from external sources.

Alternatively, if you trust the external source, sanitize the pointer before dereference. In a separate sanitization function:

Check that the pointer is not NULL.
Check the size of the memory location (if possible). This second check validates whether the size of the data the pointer points to matches the size your program expects.

The defect still appears in the body of the sanitization function. However, if you use a sanitization function, instead of several occurrences, the defect appears only once. You can justify the defect and hide it in later reviews by using code annotations. See:

Address Results in Polyspace User Interface Through Bug Fixes or Justifications if you review results in the Polyspace user interface.
Address Results in Polyspace Access Through Bug Fixes or Justifications (Polyspace Access) if you review results in a web browser.
Annotate Code and Hide Known or Acceptable Results if you review results in an IDE.

Extend Checker

By default, Polyspace^® assumes that data from external sources are tainted. See Sources of Tainting in a Polyspace Analysis. To consider any data that does not originate in the current scope of Polyspace analysis as tainted, use the command line option -consider-analysis-perimeter-as-trust-boundary.

Examples

expand all

Function That Dereferences an External Pointer

#include<stdlib.h>
void taintedptr(void) {
	char *p = getenv("ARG");
	char x = *(p+10);//Noncompliant  
}

In this example, the pointer *p points to an string of unknown size. During the dereferencing operation, the pointer might be null or point to unknown memory, which can result in segmentation fault.

Correction — Check Pointer

One possible correction is to sanitize the pointer before using it. This example checks whether the pointer is nullptr before it is dereferenced.

#include<stdlib.h>
#include <string.h> 
void taintedptr(void) {
	char *p = getenv("ARG");
	if(p!=NULL && strlen(p)>10)
	{
	char x = *(p+10);
	}
}

Result Information

Group: Tainted Data

Language: C | C++

Default: Off

Command-Line Syntax: TAINTED_PTR

Impact: Low

Version History

Introduced in R2015b