SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 64

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The C Secure Coding Rules Draft Technical Specification [SD:ISO/IEC 2011TR 17961] defines  defines the following terms:

Given an integer expression E, the derived type T of E is determined as follows:

  • if E is a sizeof expression then T is the type of the operand of the expression,
  • otherwise, if E is an identifier, then T is the derived type of the expression last used to store a value in E,
  • otherwise, if the derived type of each of E's subexpressions is the same, then T is that type,
  • otherwise, the derived type is an unspecified character type compatible with any of char, signed char, and unsigned char.

EXAMPLE For the following declarations:

Code Block
langc

double a[40];
size_t n0 = sizeof (int);
size_t n1 = 256;
size_t n2 = sizeof a / sizeof (*a);

The derived type of n0 is int, and the derived type of n1 and n2 is a (hypothetical) unspecified character type that is compatible with any of char, signed char, and unsigned char.

Consider the following code:

Code Block

int val;
int arr[ARR_SIZE];
size_t c1 = sizeof (val);
size_t c2 = sizeof (arr) / sizeof (val);
size_t c3 = sizeof (arr) / sizeof (*arr);

...

Expresses either the size of an object with an effective type, or the number of bytes allocated for such an object.

For an object with an effective type T the effective size of the object is the result of the sizeof(T) expression. For an object with no effective type (for example, an object for which space has just been allocated by a call to malloc(N)), the effective size is the number of bytes allocated for it (that is, N).

EXAMPLE 1 The effective size of *p refers to the effective size of the object or space referenced by p minus the offset of p from the beginning of the space or object, respectively.

EXAMPLE 2 For the following declarations

Code Block
langc

int a[5];
void *p = a + 2;

the effective size of *p is equal to sizeof(a - 2) * sizeof(*a), or 12 when sizeof(int) is 4.

...

In the following code:

Code Block

int arr[5];
int *p = arr;

...

Consider the following code:

Code Block

char *p;
void *q;
q = obj;

...

memcpy()

memmove()

memset()

wmemcpy()

wmemmove()

strftime()

calloc()

malloc()

realloc()

strncpy()

swprintf()

vswprintf()

wcsncpy()

strxfrm()

snprintf()

vsnprintf()

fwrite()*

fread()*

*Both functions take more than one size_t argument. In such cases, the compliant code must be consistent with the purpose of these arguments. For example, in the case of fread():

Code Block

size_t fread(void *ptr, size_t size, size_t count, FILE *stream)

...

This noncompliant code example assigns a value greater than the size of available memory to n, which is then passed to memset().

Code Block
bgColor#FFcccc

void f1(size_t nchars) {
  char *p = (char *)malloc(nchars);
  const size_t n = nchars + 1;

  memset(p, 0, n);
  /* ... */
}

...

This compliant solution ensures that the value of n is not greater than the size of the dynamic memory pointed to by the pointer p:

Code Block
bgColor#ccccff

void f1(size_t nchars, size_t val) {

  char *p = (char *)malloc(nchars);
  const size_t n = val;

  if (nchars < n) {
    /* Handle Error */
  } else {
    memset(p, 0, n);
  }
  /* ... */
}

...

In this noncompliant code example, the effective type of *p is float, and the derived type of the expression n is int. This is calculated using the first rule from N1579from TR 17961's [SD:1] definition of derived types (see Definitions section [ISO/IEC TR 17961]). Because n contains the result of a sizeof expression, its derived type is equal to the type of the operand, which is int.

Code Block
bgColor#FFcccc

void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(int) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
  /* ... */
}

Note: While still noncompliant Although it is noncompliant, this code will have code has no ill effects on architectures where sizeof(int) is equal to sizeof(float).

...

In this compliant solution, the derived type of n is also float.

Code Block
bgColor#ccccff

void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(float) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
  /* ... */
}

...

In this noncompliant code example, the size of n could be greater than the size of *p. Also, the effective type of *p (int) is different than the effective type of *q (float).

Code Block
bgColor#FFcccc

void f3(int *a) {
  float b = 3.14;
  const size_t n = sizeof(*b);
  void *p = a;
  void *q = &b;

  memcpy(p, q, n);
  /* ... */
}

Note: While still noncompliant Although it is noncompliant, this code does not constitute a vulnerability on implementations where sizeof(int) is equal to sizeof(float).

...

This compliant solution ensures that the value of n is not greater than the minimum of the effective sizes of *p and *q and that the effective types of the two pointers are identical (float).

Code Block
bgColor#ccccff

void f3(float *a, size_t val) {
  float b = 3.14;
  const size_t n = val;
  void *p = a;
  void *q = &b;

  if( (n > sizeof(a)) || (n > sizeof(b)) ) {
    /* Handle error */
  } else {
    memcpy(p, q, n);
    /* ... */
  }
}

...

In this noncompliant code example, the value of n is greater than the size of T, that is, sizeof(wchar_t). But the derived type of expression n (wchar_t *) is not the same as the type of T because its derived type (see Definitions section[ISO/IEC TR 17961]) will be equal to the type of p, which is wchar_t*. The derived type of n is calculated using the first rule from N1579's [SD:1] definition from TR 17961's definition of derived types (see Definitions section[ISO/IEC TR 17961]). Because n here is a sizeof expression, its derived type is equal to the type of the operand (p), which is wchar_t *.

Code Block
bgColor#FFcccc

wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(p) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t*) malloc(n);
  return q;
}

...

This compliant solution ensures that the derived type of n (wchar_t) is the same as the type of T (wchar_t) and that the value of n is not less than the size of T.

Code Block
bgColor#ccccff

wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(wchar_t) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t*) malloc(n);
  return q;
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR38-C

high

likely

medium

P18

L1

Related Guidelines

C Secure Coding Standard, API00-C. Functions should validate their parameters (https://www.securecoding.cert.org/confluence/display/seccode/API00-C.+Functions+should+validate+their+parameters)

ISO/IEC TR 17961 (Draft) Forming N1579: N1579, Rule 5.34 Forming invalid pointers by library functions [libptr]

Bibliography

[SD:ISO/IEC 2011] ISO/IEC. N1579 Information Technology — Programming languages, their environments and system software interfaces — C Secure Coding Rules C Secure Coding Rules. September, 2011.TR 17961] "Programming Languages,Ttheir Environments and System Software Interfaces"