Page History

...

• Using pointer arithmetic so that the result does not point into or just past the end of the same object
• Using such pointers in arithmetic expressions
• Dereferencing pointers that do not point to a valid object in memory
• Using an array subscript so that the resulting reference does not refer to an element in the array

The C standard [ISO/IEC 9899:2011] Standard identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:

...

In the following noncompliant code example the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined behavior 46. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.

...

The following noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the GetMachineName() function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1 elements, the final valid iteration of the loop will dereference past the end pointer, resulting in exploitable undefined behavior 47 . In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].

...

In the following compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null termination character (L'\0') is discovered, or the end of the buffer is reached. This code does not result in a buffer overflow, even if no backslash character is found in wszMachineName.

...

The following noncompliant code example declares matrix to consist of 7 rows and 5 columns in row-major order. The function init_matrix then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, and when the value of j reaches the value COLS during the first iteration of the outer loop, the function attempts to access element matrix[0][5]. Because the type of matrix is int[7][5], the j subscript is out of range, and the access has undefined behavior 49.

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

...

In the following noncompliant code example the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, since function g() does not allocate any storage for the member, the expression first++ in find() attempts to form a pointer just past the end of buf when there are no elements. This attempt results in undefined behavior 62 .

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first++ != last)   /* undefined behavior here */
    if (*first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

...

In the following noncompliant code example, the function f() calls fread() to read nitems of type wchar_t, each size bytes in size, into an array of BUFSIZ elements, wbuf. However, the expression used to compute the value of nitems fails to account for the fact that, unlike the size of char, the size of wchar_t may be greater than 1. Thus, fread() could attempt to form pointers past the end of wbuf and use them to assign values to nonexisting elements of the array. Such an attempt results in undefined behavior 109 . A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.

...

   for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
   *pwszTemp++;)

   for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
   *pwszTemp++;)

Related Vulnerabilities

CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

...

...

ISO/IEC TR 24772 "XYX Boundary beginning violation," "XYY Wrap-around error," and "XYZ Unchecked array indexing"

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

Bibliography

...