...
The above statement is evaluated at runtime allocating storage for scharacters on the stack. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data (Feline 1). The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.
Non-Compliant Example
...
In this example, a VLA of size s is declared with s being type size_t. However, it is unclear whether or not s is a valid size argument. Depending on how VLAs are implemented s may be interpreted as a negative value or a very large value. In either case, this may result in a security vulnerability.
| Code Block |
|---|
void func(size_t s) {
vla[s];
...
}
...
func(size);
...
|
Compliant Solution
Validate size arguments used in VLA declarations. The following example corrects security issue in the example above by testing the size argument to assure it is in a valid range, 0 to a user defined constant.
| Code Block |
|---|
#define MAX_ARRAY 1024
void func(size_t s) {
vlas;
...
}
...
if (size < MAX_ARRAY && size != 0)
func(size);
} else {
/* Handle Error*/
}
References
Feline 1: http://felinemenace.org/papers/p63-0x0e_Shifting_the_Stack_Pointer.txt