SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 12

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 13

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFcccc
#include <signal.h>  
 
char *foo;  
 
void int_handler() { 
  free(foo); 
  _Exit(0); 
} 
  
int main(void) {  
  foo = malloc(15); 
  signal(SIGINT, int_handler);  
 
  strcpy(foo, "Hello World."); 
  puts(foo); 
 
  free(foo); 
  return 0; 
}

Compliant Solution

...

Code Block
bgColor#ccccff
#include <signal.h>  
 
char *foo;  
 
void int_handler() { 
  _Exit(0); 
} 
  
int main(void) {  
  foo = malloc(15); 
  signal(SIGINT, int_handler);  
 
  strcpy(foo, "Hello World."); 
  puts(foo); 
 
  free(foo); 
  return 0; 
}

Risk Assessment

Wiki Markup
Depending on the code, this could lead to any number of attacks, many of which could give root access. For an overview of some software vulnerabilities, see Zalewski's
signal article. VU #834865 is also an example of this
 paper on understanding, exploiting and preventing signal-handling related vulnerabilities \[[Zalewski 01|AA. C References#Zalewski 01]\]. [VU #834865|http://www.kb.cert.org/vuls/id/834865] describes a vulnerability resulting from a violation of this rule.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

SIG00-C

3 (high)

3 (likely)

1 (high)

P9

L2

...

Wiki Markup
\[[ISO/IEC 03|AA. C References#ISO/IEC 03]\] "Signals and Interrupts"
\[[Open Group 04|AA. C References#Open Group 04]\] [longjmp|http://www.opengroup.org/onlinepubs/000095399/functions/longjmp.html]
\[OpenBSD\] [{{signal()}} Man Page|http://www.openbsd.org/cgi-bin/man.cgi?query=signal]
\[[Zalewski 01|AA. C References#Zalewski 01\] [http://lcamtuf.coredump.cx/signals.txt]\]