...
This compliant solution defines the acceptable range for length as [1, MAX_TABLE_LENGTH]. The length parameter is declared as size_t, which is unsigned by definition. Consequently, it is not necessary to check length for negative values . (See see INT01-C. Use rsize_t or size_t for all integer values representing the size of an object).)
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum { MAX_TABLE_LENGTH = 256 };
char** create_table(void) {
const char* const lenstr = getenv("TABLE_SIZE");
const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0;
if (length == 0 || length > MAX_TABLE_LENGTH)
return NULL; /* Indicate error to caller */
const size_t table_size = length * sizeof(char *);
char** const table = (char **)malloc(table_size);
if (table == NULL)
return NULL; /* Indicate error to caller */
/* Initialize table... */
return table;
}
|
...
CERT vulnerability 720951 describes a vulnerability in OpenSSL versions 1.0.1 through 1.0.1f, popularly known as "Heartbleed." . This vulnerability allows a malicious packet fed to a server using OpenSSL to trick that server into returning up to 64 kilobytes of its internal memory. This memory can contain sensitive information, including cryptographic keys, usernames and passwords.
The vulnerable code appears below:
an attacker to steal information that under normal conditions would be protected by Secure Socket Layer/Transport Layer Security (SSL/TLS) encryption.
Despite the seriousness of the vulnerability, Heartbleed is the result of a common programming error and an apparent lack of awareness of secure coding principles. Following is the vulnerable code:
| Code Block | ||||
|---|---|---|---|---|
| ||||
int dtls1_process_heartbeat(SSL *s) {
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
/* ... More code ... */
if (hbtype == TLS1_HB_REQUEST) {
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
/* ... More code ... */
}
/* ... More code ... */
} |
This code processes a '"heartbeat' " packet from a client. As specified in in RFC 6520, when the program receives a heartbeat packet, it must echo the packet's data back to the client. In addition to the data, the packet contains a length field that conventionally indicates the number of bytes in the packet data, but there is nothing to prevent a malicious packet from lying about its data length.
The The p pointer pointer, along with with payload and and p1 contain , contain data from a packet. The code allocates a a buffer sufficient sufficient to contain contain payload bytes bytes, with some overhead, and copies then copies payload bytes bytes starting at at p1 into into this buffer , and sends it to the client. Notably absent from this code are any checks that payload actually indicates the correct that the payload integer variable extracted from the heartbeat packet corresponds to the size of the memorypacket data. Because an attacker the client can specify an arbitrary value for of payload, she an attacker can cause this routine the server to read and return the contents of memory beyond the block allocated to p. In this case, the call to memcpy() would also violate end of the packet data, which violates INT04-C. Enforce limits on integer values originating from tainted sources. The resulting call to memcpy() can then copy the contents of memory past the end of the packet data and the packet itself, potentially exposing sensitive data to the attacker. This call to memcpy() violates ARR38-C. Guarantee that library functions do not form invalid pointers. A version of ARR38-C also appears in ISO/IEC TS 17961:2013, "Forming invalid pointers by library functions [libptr]." This rule would require a conforming analyzer to diagnose the Heartbleed vulnerability.
Compliant Solution (Heartbleed)
OpenSSL version 1.0.1g contains the following patch, which guarantees that payload is within a valid range. The range is limited by the size of the input record.
| Code Block | ||||
|---|---|---|---|---|
| ||||
int dtls1_process_heartbeat(SSL *s) {
unsigned char *p = &s->s3->rrec.data[0], *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* ... More code ... */
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 */
pl = p;
/* ... More code ... */
if (hbtype == TLS1_HB_REQUEST) {
unsigned char *buffer, *bp;
int r;
/* Allocate memory for the response, size is 1 byte
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
/* ... More code ... */
}
/* ... More code ... */
} |
Risk Assessment
Failing to enforce the limits on integer values can result in a denial-of-service attack.
...
| CERT C++ Secure Coding Standard | INT04-CPP. Enforce limits on integer values originating from untrusted sources |
| ISO/IEC TS 17961:2013 | Forming invalid pointers by library functions [libptr] Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] |
...