SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 173

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 174

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Rolled in the interesting bits from MEM09-C and added a new NCCE/CS

...

In the common case of local, automatic variables being stored on the program stack, their values default to whichever values are currently stored in stack memory. Uninitialized memory has indeterminate value, which for objects of some types can be a trap representation. Reading uninitialized memory is undefined behavior (see undefined behavior 10 and undefined behavior 12 in Annex J of the C Standard); it can cause a program to behave in an unexpected manner and provide an avenue for attack.

Additionally, memory allocated by functions, such as malloc(), should not be read before being initialized because its contents are also indeterminate.

Additionally, some dynamic memory allocation functions do not initialize the contents of the memory they allocate.

Function

Initialization

aligned_alloc()

Does not perform initialization

calloc()

Writes zeros to allocated memory

malloc()

Does not perform initialization

realloc()

Copies contents from original pointer; may not initialize all memory

Uninitialized memory has indeterminate value, which for objects of some types can be a trap representation. Reading uninitialized memory is undefined behavior (see undefined behavior 10 and undefined behavior 12 in Annex J of the C Standard); it can cause a program to behave in an unexpected manner and provide an avenue for attack. In most cases, compilers issue a warning diagnostic message when reading uninitialized variables. See MSC00-C. In most cases, compilers issue a warning diagnostic message when reading uninitialized variables. See MSC00-C. Compile cleanly at high warning levels for more information.

Noncompliant Code Example (Return-by-Reference)

In this noncompliant code example, the set_flag() function is intended to set the parameter, sign_flag, to the sign of number. However, the programmer neglected to account for number being 0. Because the local variable sign is uninitialized when calling set_flag(), and is never written to by set_flag(), the comparison operation exhibits undefined behavior when reading sign.

...

This defect results from a failure to consider all possible data states. (See MSC01-C. Strive for logical completeness.) Once the problem is identified, 

Compliant Solution (Return-by-Reference)

This compliant solution trivially repairs the problem by accounting for the possibility that number can be equal to 0.

...

Code Block
bgColor#ccccff
langc
void set_flag(int number, int *sign_flag) {
  if (NULL == sign_flag) {
    return;
  }

  if (number >= 0) { /* Account for number being 0 */
    *sign_flag = 1;
  } else {
    *sign_flag = -1;
  }
}

int is_negative(int number) {
  int sign = 0;   /* Initialize for defense-in-depth */
  set_flag(number, &sign);
  return sign < 0;
}

Noncompliant Code Example (Uninitialized Local)

In this noncompliant code example, the programmer mistakenly fails to set the local variable error_log to the msg argument in the report_error() function [Mercy 2006]. Because error_log has not been initialized, reading it results in undefined behavior, and an indeterminate value is read. The sprintf() call copies data from the arbitrary location pointed to by the indeterminate error_log variable until a null byte is reached, which can result in a buffer overflow.

Code Block
bgColor#FFCCCC
langc
#include <stdio.h>

/* Get username and password from user, return -1 on error */
extern int do_auth(void);
 
void report_error(const char *msg) {
  enum { BUFFERSIZE = 24 };
  const char *error_log;
  char buffer[BUFFERSIZE];

  sprintf(buffer, "Error: %s", error_log);
  printf("%s\n", buffer);
}

int main(void) {
  if (do_auth() == -1) {
    report_error("Unable to login");
  }
  return 0;
}

Noncompliant Code Example (Uninitialized Local)

In this noncompliant code example, the report_error() function has been modified so that error_log is properly initialized:

...

This example is still problematic because a buffer overflow will occur if the null-terminated byte string referenced by msg is greater than 17 characters, including the null terminator. For more information, see STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator.

Compliant

...

Solution (Uninitialized Local)

In this compliant solution, the buffer overflow is eliminated by using the snprintf() function:

Code Block
bgColor#ccccff
langc
#include <stdio.h>
 
void report_error(const char *msg) {
  enum { BUFFERSIZE = 24 };
  const char *error_log = msg;
  char buffer[BUFFERSIZE];

  snprintf(buffer, BUFFERSIZE, "Error: %s", error_log);
  printf("%s\n", buffer);
}

Compliant Solution (Uninitialized Local)

A less error-prone compliant solution is to simply print the error message directly instead of using an intermediate buffer:

...

Code Block
bgColor#ccccff
langcc
#include <time.h>
#include <unistd.h>
#include <stdlib.h>

void func(void) {     
  double cpu_time;
  struct timeval tv;

  cpu_time = ((double) clock()) / CLOCKS_PER_SEC;
  gettimeofday(&tv, NULL);
  srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec);
}

Noncompliant Code Example (realloc())

The realloc() function changes the size of a dynamically allocated memory object. The initial size bytes of the returned memory object are unchanged, but any newly added space is uninitialized, and its value is indeterminate. As in the case of malloc(), accessing memory beyond the size of the original object results in undefined behavior. See undefined behavior 181 in Annex J of the standard.

It is the programmer's responsibility to ensure that any memory allocated with malloc() and realloc() is properly initialized before it is used.

In this noncompliant code example, an array is allocated with malloc() and properly initialized. At a later point, the array is grown to a larger size, but does not initialize any values beyond what the original array contained. Subsequently, accessing the uninitialized values in the new array results in undefined behavior.

Code Block
bgColor#FFCCCC
langc
#include <stdlib.h>

#include <stdio.h>
 
int *resize_array(int *array, size_t count) {
  if (0 == count) {
    return 0;
  }
 
  int *ret = (int *)realloc(array, count * sizeof(int));
  if (!ret) {
    free(array);
    return 0;
  }
 
  return ret;
}
 
void func(void) {
  enum { OLD_SIZE = 10, NEW_SIZE = 20 };
 
  int *array = (int *)malloc(OLD_SIZE * sizeof(int));
  if (0 == array) {
    /* Handle error */
  }
 
  for (int i = 0; i < OLD_SIZE; ++i) {
    array[i] = i;
  }
 
  array = resize_array(array, NEW_SIZE);
  if (0 == array) {
    /* Handle error */
  }
 
  for (int i = 0; i < NEW_SIZE; ++i) {
    printf("%d ", array[i]);
  }
}

Compliant Solution (realloc())

In this compliant solution, the resize_array() helper function takes a second parameter for the old size of the array so that it can initialize any elements that are newly allocated.

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
#include <stdio.h> 
 
int *resize_array(int *array, size_t old_count,
                  size_t new_count) {
  if (0 == new_count) {
    return 0;
  }
 
  int *ret = (int *)realloc(array, new_count * sizeof(int));
  if (!ret) {
    free(array);
    return 0;
  }
 
  if (new_count > old_count) {
    for (size_t i = new_count - old_count;
         i < new_count; ++i) {
      ret[i] = 0;
    }
  }
 
  return ret;
}
 
void func(void) {
  enum { OLD_SIZE = 10, NEW_SIZE = 20 };
 
  int *array = (int *)malloc(OLD_SIZE * sizeof(int));
  if (0 == array) {
    /* Handle error */
  }
 
  for (int i = 0; i < OLD_SIZE; ++i) {
    array[i] = i;
  }
 
  array = resize_array(array, OLD_SIZE, NEW_SIZE);
  if (0 == array) {
    /* Handle error */
  }
 
  for (int i = 0; i < NEW_SIZE; ++i) {
    printf("%d ", array[i]);
  }
}#include <time.h>
#include <unistd.h>
#include <stdlib.h>

void func(void) {     
  double cpu_time;
  struct timeval tv;

  cpu_time = ((double) clock()) / CLOCKS_PER_SEC;
  gettimeofday(&tv, NULL);
  srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec);
}

Exceptions

EXP33-EX1: Reading uninitialized memory of type unsigned char does not trigger undefined behavior. The unsigned char type is defined to not have a trap representation (see the C Standard, subclause 6.2.6.1, paragraph 3), which allows for moving bytes without knowing if they are initialized. However, on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized. The C Standard, subclause 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.

...

CERT C Secure Coding StandardMSC00-C. Compile cleanly at high warning levels
MSC01-C. Strive for logical completeness
CERT C++ Secure Coding StandardEXP33-CPP. Do not reference uninitialized memory
ISO/IEC TR 24772:2013Initialization of Variables [LAV]
ISO/IEC TS 17961Referencing uninitialized memory [uninitref]
MITRE CWECWE-119, Failure to constrain operations within the bounds of an allocated memory buffer
CWE-665, Incorrect or incomplete initialization

Bibliography

[Flake 2006] 
[ISO/IEC 9899:2011]Subclause 6.7.9, "Initialization"
Subclause 6.2.6.1, "General"
Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators"
[Mercy 2006] 
[Wang 2012]"More Randomness or Less"
[xorl 2009]"CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read"

...