...
In this example, a VLA of size s is declared. In accordance with recommendation INT01-A. Use size_t for all integer values representing the size of an object, s is of type size_t, as it is used to specify the size of an object. However, it is unclear whether the value of s is a valid size argument. Depending on how VLAs are implemented, s may be interpreted as a negative value or a very large positive value. In either case, this may result in a security vulnerability.
| Code Block | ||
|---|---|---|
| ||
void func(size_t s) {
int vla[s];
...
}
...
func(size);
...
|
...
Validate size arguments used in VLA declarations. The solution below ensures the size argument, s, used to allocate vla is in a valid range: 1 to a user defined constant.
| Code Block | ||
|---|---|---|
| ||
#define MAX_ARRAY 1024
void func(size_t s) {
int vla[s];
...
}
...
if (s < MAX_ARRAY && s != 0) {
func(s);
} else {
/* Handle Error */
}
...
|
Risk Assessment
Failure to properly specify the size of a VLA may lead to arbitrary code execution
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR32-C | 3 (high) | 1 (unlikely) | 1 (high) | P3 | L1 |