C

Faults in Linux: Using value taken from user as array bounds without check

As part of my project, while reading the reports, I came to know about bugs of type where unchecked values obtained from the user level are used as array indices or loop bounds..  These were less in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post is be about the mentioned type.

You can view the complete report as a PDF here and as a HTML file here.

 

What is this bug type?

If X is a value that comes from user space, but there is no check on what its value is. It could be huge, or negative if the type of the field is not unsigned.

 

Types I studied?

I studied two types:

 

Bugs and FPs for this case?

Most of them were where a length is taken from the user but not checked and then used for array bounds.

 

More are coming! 🙂

 

 

 

Advertisements

2 thoughts on “Faults in Linux: Using value taken from user as array bounds without check

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s