Faults in Linux: Using value taken from user as array bounds without check

As part of my project, while reading the reports, I came to know about bugs of type where unchecked values obtained from the user level are used as array indices or loop bounds..  These were less in the versions 2.4.x and 2.6.x. I was also required to list FPs (false positives) by Coccinelle. This post is be about the mentioned type.

You can view the complete report as a PDF here and as a HTML file here.

What is this bug type?

If X is a value that comes from user space, but there is no check on what its value is. It could be huge, or negative if the type of the field is not unsigned.

Types I studied?

I studied two types:

Bugs and FPs for this case?

Most of them were where a length is taken from the user but not checked and then used for array bounds.



#array-bounds, #array-indices, #coccinelle, #false-positives