...
Failure to understand and properly use pointer arithmetic can allow an attacker to execute arbitrary code.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
EXP08-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
|---|---|---|---|---|---|---|---|
| Astrée |
|
| Supported, but no explicit checker | |||||||||
| CodeSonar |
| LANG.STRUCT.PARITH LANG.MEM.BO | Pointer arithmetic Buffer overrun | ||||||
| Klocwork |
| ABV.ITERATOR ABV.GENERAL |
| LDRA tool suite |
| 45 D | Partially implemented | ||||||
| Parasoft C/C++test |
|
|
| MISRA-101 BD-PB-ARRAY | Checks all array access, not just pointer arithmetic | |||
| Parasoft Insure++ |
| Runtime analysis for over- or under- read or write | |||||||||
| Polyspace Bug Finder | R2016a | Implicit scaling in pointer arithmetic might be ignored Pointer dereferenced outside its bounds | |||||||
| PRQA QA-C |
| 0488, 2930, 2931, 2932, 2933, 2934 | Partially implemented |
| PVS-Studio | 6.22 | V503, V520, V574, V600, V613, V619, V620, V643, V650, V687, V769, V1004 | General analysis rule set |
How long is 4 yards plus 3 feet? It is obvious from elementary arithmetic that any answer involving 7 is wrong, as the student did not take the units into account. The right method is to convert both numbers to reflect the same units.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID EXP08-CPP. Ensure pointer arithmetic is used correctly |
| ISO/IEC TR 24772:2013 | Pointer Casting and Pointer Type Changes [HFC] Pointer Arithmetic [RVG] |
| ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] |
| MISRA C:2012 | Rule 18.1 (required) Rule 18.2 (required) Rule 18.3 (required) Rule 18.4 (advisory) |
| MITRE CWE | CWE-468, Incorrect pointer scaling |
Bibliography
| [Dowd 2006] | Chapter 6, "C Language Issues" |
| [Murenin 2007] |
...
...