SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Martin Sebor

Saved on

compared with

New Version 18

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

UB

Description

Example Code

43

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Out Of Bounds Pointer

44

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The End Pointer, #Using Past The End Index

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="812b780e05b09598-85e08fcd-410a44c0-b271892e-0757fd90d11b20753a08fe01"><ac:plain-text-body><![CDATA[

[46

CC. Undefined Behavior#ub_46]

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

[#Apparently Accessible Out Of Range Index]

]]></ac:plain-text-body></ac:structured-macro>

59

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By Library Function

...

In the following noncompliant code example the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined 43. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.

Code Block
bgColor#ffcccc
langc
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

...

One compliant solution is to detect and reject invalid values of index if using them in pointer arithmetic would result in an invalid pointer.

Code Block
bgColor#ccccff
langc
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (0 <= index && index < TABLESIZE)
    return table + index;

  return NULL;
}

...

Another, slightly simpler and potentially more efficient compliant solution is to use an unsigned type to avoid having to check for negative values while still rejecting out of bounds positive values of index.

Code Block
bgColor#ccccff
langc
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(size_t index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

...

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer" and CWE-121, "Stack-based Buffer Overflow."

Code Block
bgColor#ffcccc
langc
error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while ( *pwszTemp != L'\\' )
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

...

In the following compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null termination character (L'\0' is discovered, or when the end of the buffer is reached. This code does not result in a buffer overflow, even if no backslash character is found in wszMachineName.

Code Block
bgColor#ccccff
langc
HRESULT GetMachineName(
  wchar_t *pwszPath,
  wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  wchar_t *pwszServerName = wszMachineName;
  wchar_t *pwszTemp = pwszPath + 2;
  wchar_t *end_addr
    = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN;
  while ( (*pwszTemp != L'\\')
     &&  ((*pwszTemp != L'\0'))
     && (pwszServerName < end_addr) )
  {
    *pwszServerName++ = *pwszTemp++;
  }

  /* ... */
}

...

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-122, "Heap-based Buffer Overflow" and CWE-129, "Improper Validation of Array Index."

Code Block
bgColor#ffcccc
langc
static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int*)realloc(table, sizeof *table * size);
    if (NULL == tmp)
      return -1;

    table = tmp;
  }

  table[pos] = value;
  return 0;
}

...

The following compliant solution correctly validates the index pos by using the <= operator and avoids modifying size until it has verified that the call to realloc() was successful.

Code Block
bgColor#ccccff
langc
static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size <= pos) {
    int *tmp = (int*)realloc(table, sizeof *table * (pos + 1));
    if (NULL == tmp)
      return -1;   /* indicate failure */

    /* modify size only after realloc succeeds */
    size  = pos + 1;
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

...

Wiki Markup
The following noncompliant code example declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop, the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range, and the access has undefined behavior [46|CC. Undefined Behavior#ub_46].

Code Block
bgColor#ffcccc
langc
static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

...

The following compliant solution avoids using out-of-range indices by initializing matrix elements in the same row-major order as multidimensional objects are declared in C.

Code Block
bgColor#ccccff
langc
static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != ROWS; ++i)
    for (size_t j = 0; j != COLS; ++j)
      matrix[i][j] = x;
}

...

In the following noncompliant code example the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, since function g() does not allocate any storage for the member, the expression first++ in find() will attempt to form a pointer just past the end of buf when there are no elements. This attempt results in undefined behavior 59.

Code Block
bgColor#ffcccc
langc
struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first++ != last)   /* undefined behavior here */
    if (*first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

...

The following compliant solution avoids incrementing the pointer unless a value past the pointer's current value is known to exist.

Code Block
bgColor#ccccff
langc
struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first != last)   /* avoid incrementing here */
    if (*++first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

...

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121, "Access of Memory Location After End of Buffer" and CWE-805, "Buffer Access with Incorrect Length Value."

Code Block
bgColor#ffcccc
langc
void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

...

The following compliant solution correctly computes the maximum number of items for fread() to read from the file.

Code Block
bgColor#ccccff
langc
void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf / size;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

...