SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 83

changes.mady.by.user Carol J. Lallier

Saved on

compared with

New Version 84

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

All integer values originating from tainted sources should be evaluated to determine if they have identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.

Noncompliant Code Example

In this noncompliant code example, length is the value of a user-defined (and thus potentially untrusted) environment variable whose value is used to determine the size of a dynamically allocated array, table. In compliance with INT30-C. Ensure that unsigned integer operations do not wrap, the code prevents unsigned integer wrapping but does not impose any upper bound on the size of the array, making it possible for the user to cause the program to use an excessive amount of memory.

...

Because length is user controlled, the value can result in a large block of memory being allocated or can cause the call to malloc() to fail. Depending on how error handling is implemented, it may result in a denial-of-service attack or other error.

Compliant Solution

This compliant solution defines the acceptable range for length as [1, MAX_TABLE_LENGTH]. The length parameter is declared as size_t, which is unsigned by definition. Consequently, it is not necessary to check length for negative values. (See INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.)

...

The test for length == 0 ensures that a nonzero number of bytes is allocated. (See MEM04-C. Do not perform Beware of zero-length allocations.)

Noncompliant Code Example

In this noncompliant example, the tainted integer color_index is used in pointer arithmetic to index into the array table:

...

The test for length == 0 ensures that a nonzero number of bytes is allocated. (See MEM04-C. Do not perform Beware of zero-length allocations.)

Risk Assessment

Failing to enforce the limits on integer values can result in a denial-of-service attack.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT04-C

Low

Probable

High

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardINT04-CPP. Enforce limits on integer values originating from untrusted sources
ISO/IEC TS 17961Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]

Bibliography

[Seacord 2013]Chapter 5, "Integer Security"

...