...
This code tests for signed integer overflow by testing to see if a + 100 > a. This test cannot evaluate to true unless an integer overflow occurs. However, because a conforming implementation is not required to generate code for undefined behavior, and signed integer overflow is undefined behavior, this code may be compiled out. For example, gcc version 4.1.1 optimizes out the assertion for all optimization levels and gcc 4.2.3 optimizes out the assertion for program compiled with -O2 level optimization and higher.
Compliant Solution
This compliant solution does not depended upon undefined behavior so a compliant solution is required to generate code for the overflow test in the assertion.
| Code Block | ||
|---|---|---|
| ||
#include <assert.h>
int foo(int a) {
assert(((a < 0) || (a < (INT_MAX-100))));
printf("%d %d\n",a+100,a);
return a;
}
int main(void) {
foo(100);
foo(INT_MAX);
}
|
...
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MSC15-A | low high | unlikely high | medium | P2 P18 | L3 L1 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Dowd 06ISO/IEC 9899-1999|AA. C References#Dowd 06References#ISO/IEC 9899-1999]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)Section 3.4.3, "undefined behavior," and Section 4, "Conformance," and Annex J.2, "Undefined behavior". \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 5, "Integers" |
...