Variable length arrays (VLA) are essentially the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:
| Code Block |
|---|
char vla[s]; |
| Wiki Markup |
|---|
The above statement is evaluated at runtime allocating storage for {{s}} characters in stack memory. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program |
data \[[Griffiths 06|http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txt]\]. The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition. |
Non-Compliant Example
In this example, a VLA of size s is declared. In accordance with recommendation INT01-A. Use size_t for all integer values representing the size of an object, s is of type size_t as it is used to specify the size of an object. However, it is unclear whether or not the value of s is a valid size argument. Depending on how VLAs are implemented s may be interpreted as a negative value or a very large positive value. In either case, this may result in a security vulnerability.
...
| Code Block |
|---|
#define MAX_ARRAY 1024
void func(size_t s) {
vla[s];
...
}
...
if (size < MAX_ARRAY && size != 0) {
func(size);
} else {
/* Handle Error */
}
...
|
References
Feline 1: http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txtGriffiths 06 Clutching at straws: When you can shift the stack pointer