...
This defect results from a failure to consider all possible data states . See (see MSC01-C. Strive for logical completeness for more information).
Compliant Solution (Return-by-Reference)
...
Before being passed to a multibyte conversion function, an mbstate_t object must be either initialized to the initial conversion state or set to a value that corresponds to the most recent shift state by a prior call to a multibyte conversion function. This compliant solution sets the mbstate_t object to the initial conversion state by setting it to all zeros.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <string.h>
#include <wchar.h>
void func(const char *mbs) {
size_t len;
mbstate_t state;
memset(&state, 0, sizeof(state));
len = mbrlen(mbs, strlen(mbs), &state);
}
|
...
In this compliant solution, the resize_array() helper function takes a second parameter for the old size of the array so that it can initialize any newly allocated elements.:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
enum { OLD_SIZE = 10, NEW_SIZE = 20 };
int *resize_array(int *array, size_t old_count, size_t new_count) {
if (0 == new_count) {
return 0;
}
int *ret = (int *)realloc(array, new_count * sizeof(int));
if (!ret) {
free(array);
return 0;
}
if (new_count > old_count) {
memset(ret + old_count, 0, (new_count - old_count) * sizeof(int));
}
return ret;
}
void func(void) {
int *array = (int *)malloc(OLD_SIZE * sizeof(int));
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < OLD_SIZE; ++i) {
array[i] = i;
}
array = resize_array(array, OLD_SIZE, NEW_SIZE);
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < NEW_SIZE; ++i) {
printf("%d ", array[i]);
}
} |
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| LANG.MEM.UVAR | Uninitialized Variablevariable | ||||||
| Compass/ROSE | Automatically detects simple violations of this rule, although it may return some false positives. It may not catch more complex violations, such as initialization within functions taking uninitialized variables as arguments. It does catch the second noncompliant code example, and can be extended to catch the first as well | ||||||||
| Coverity | 6.5 | UNINIT | Fully implemented | ||||||
| Fortify SCA | Can detect violations of this rule but will return false positives if the initialization was done in another function | ||||||||
| Cppcheck |
| uninitvar | Detects uninitialized variables, uninitialized pointers, uninitialized struct members, and uninitialized array elements (however, if one element is initialized, then cppcheck assumes the array is initialized) | ||||||
| Fortify SCA | Can detect violations of this rule but will return false positives if the initialization was done in another function | ||||||||
| GCC | 4.3.5 | Can detect some violations of this rule | GCC | 4.3.5 | Can detect some violations of this rule when the | ||||
| 9.1 | UNINIT.HEAP.MIGHT | ||||||||
| 53 D, 69 D, 631 S | Fully implemented | |||||||
| PRQA QA-C |
| 2961, 2962, 2963, 2966, 2967, 2968, 2971, 2972, 2973, 2976, 2977, 2978 | Fully implemented | ||||||
| Splint | 3.1.1 | ||||||||
| , 2973, 2976, 2977, 2978 | Fully implemented | ||||||||
| Splint | 3.1.1 | Cppcheck | |||||||
| Include Page | Cppcheck_V | Cppcheck_V | uninitvar, uninitdata, uninitstring, uninitMemberVar, uninitStructMember |
Related Vulnerabilities
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
...
| [Flake 2006] | |
| [ISO/IEC 9899:2011] | Subclause 6.7.9, "Initialization" Subclause 6.2.6.1, "General" Subclause 6.3.2.1, "Lvalues, Arrays, and Function Designators" |
| [Mercy 2006] | |
| [VU#925211] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...