...
Additionally, memory allocated by functions, such as malloc(), should not be used before being initialized as because its contents are also indeterminate.
...
In this noncompliant code example, the set_flag() function is intended to set the variable sign_flag to -1 −1 when number is negative or 1 or 1 when number is positive. However, the programmer neglected to account for number being 0. If number is 0, then sign_flag is not assigned to. Because sign is uninitialized when calling set_flag(), it uses whatever value is at that location in the program stack (assuming that the architecture makes use of a program stack). This can lead to unexpected or otherwise incorrect program behavior.
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
void set_flag(int number, int *sign_flag) {
if (NULL == sign_flag)
return;
if (number >= 0) { /* accountAccount for number being 0 */
*sign_flag = 1;
} else {
*sign_flag = -1;
}
}
int is_negative(int number) {
int sign = 0; /* initializeInitialize as a matter of defense-in-depth */
set_flag(number, &sign);
return sign < 0;
}
|
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
void report_error(const char *msg) {
const char *error_log = msg;
char buffer[24];
sprintf(buffer, "Error: %s", error_log);
printf("%s\n", buffer);
}
|
This solution example is still problematic because a buffer overflow will occur if the null-terminated byte string referenced by msg is greater than 17 bytes, including the null terminator. The solution It also makes use of a magic number, which should be avoided. (See DCL06-C. Use meaningful symbolic constants to represent literal values.)
...
A much simpler, less error-prone, and better-performing compliant solution is shown here:
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <time.h>
#include <unistd.h>
#include <stdlib.h>
double cpu_time;
struct timeval tv;
unsigned long junk;
cpu_time = ((double) clock()) / CLOCKS_PER_SEC;
gettimeofday(&tv, NULL);
srandom((getpid() << 16) ^ tv.tv_sec ^ tv.tv_usec ^ junk); |
Exceptions
EXP33-EX1: Reading uninitialized memory of type unsigned char does not trigger undefined behavior. The unsigned char type is defined to not have a trap representation (see the C Standard, subclause 6.2.6.1, paragraph 3), which allows for moving bytes without knowing if they are initialized. However, on some architectures, such as the Intel Itanium, registers have a bit to indicate whether or not they have been initialized or not. The C Standard, subclause 6.3.2.1, paragraph 2, allows such implementations to cause a trap for an object that never had its address taken and is stored in a register if such an object is referred to in any way.
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | ||||||||
| Coverity | 6.5 | UNINIT | Fully implemented | 5.0 | NO_EFFECT | Fully implemented Can find cases of an uninitialized variable being used before it is initialized, although it cannot detect cases of uninitialized members of a | |||
| Fortify SCA | Can detect violations of this rule , but will return false positives if the initialization was done in another function | ||||||||
| GCC | 4.3.5 | Can detect some violations of this rule when the | |||||||
| 9.1 | UNINIT.HEAP.MIGHT | ||||||||
| 57 D | Fully implemented | |||||||
| PRQA QA-C |
| 2961 (D) 2962 (A) 2963 (S) 2971 (D) 2972 (A) | Fully implemented | ||||||
| Splint | 3.1.1 |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this recommendationrule. Some versions of SAMBA (up to 3.3.5) call a function which that takes in two potentially uninitialized variables involving access rights. An attacker can exploit this to bypass the access control list and gain access to protected files [xorl 2009].
...
| [Flake 2006] | |
| [ISO/IEC 9899:2011] | Section Subclause 6.7.9, "Initialization" |
| [Mercy 2006] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...