The C Standard identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:
UB | Description | Example Code |
|---|---|---|
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object. | ||
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary | Dereferencing Past the End Pointer, Using Past the End Index | |
An array subscript is out of range, even if an object is apparently accessible with the given subscript, for example, in the lvalue expression | ||
An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array. |
| Anchor | ||||
|---|---|---|---|---|
|
...
Writing to out-of-range pointers or array subscripts can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process. Reading from out-of-range pointers or array subscripts can result in unintended information disclosure.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR30-C | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| pointered-deallocation array-index-range null-dereferencing | Partially checked | ||||||
| CodeSonar |
| LANG.MEM.BO LANG.MEM.TBA LANG.MEM.TO LANG.STRUCT.PBB BADFUNC.BO.* | Buffer overrun Tainted buffer access Type overrun Pointer before beginning of object A collection of warning classes that report uses of library functions prone to internal buffer overflows. | ||||||
| Compass/ROSE |
Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | |||||||||
| OVERRUN NEGATIVE_RETURNS ARRAY_VS_SINGLETON BUFFER_SIZE | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically Can detect buffer overflows | |||||||
| Klocwork |
| ABV.ANY_SIZE_ARRAY |
| LDRA tool suite |
| 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | ||||||
| Parasoft C/C++test |
|
|
| BD-PB-ARRAY | Partially implemented | |||||||
| Polyspace Bug Finder | R2016a | Array index outside bounds during array access Array index from unsecure source possibly outside array bounds Pointer dereferenced outside its bounds Offset is from an unsecure source and dereference may be out of bounds Pointer from an unsecure source may be NULL or point to unknown memory | |||||||
| PRQA QA-C |
| 2840, 2841, 2842, 2843, 2844, 2930, 2931, 2932, 2933, 2934, 2950, | Partially implemented | ||||||
| PRQA QA-C++ |
| 2820, 2821, 2822, 2823, 2824, 2840, 2841, 2842, 2843, 2844, 2930, | Partially implemented | ||||||
| Cppcheck |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||
| PVS-Studio | 6.22 | V512, V557, V582, V594, V643, V645, V694 | General analysis rule set |
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
...
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
|---|---|---|
| ISO/IEC TR 24772:2013 | Arithmetic Wrap-Around Error [FIF] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
| CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Rule subset of CWE |
| CWE 2.11 | CWE-123, Write-what-where Condition | 2017-05-18: CERT: Partial overlap |
| CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
| MISRA C:2012 | Rule 18.1 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT-CWE Mapping Notes
Key here for mapping notes
...
CWE-789 is about allocating memory, not array subscripting
Bibliography
| [Finlay 2003] |
| [Microsoft 2003] |
| [Pethia 2003] |
| [Seacord 2013b] | Chapter 1, "Running with Scissors" |
| [Viega 2005] | Section 5.2.13, "Unchecked Array Indexing" |
| [xorl 2009 ] | "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation" |
...
...