SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 87

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 88

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: made heartbleed into a NCCE/CS pair

...

Code Block
bgColor#ffcccc
langc
const char *table[] = { "black", "white", "blue", "green" };
 
const char *set_background_color(void) {
  int color_index;
  GET_TAINTED_INTEGER(int, color_index);
 
  const char *color = table[color_index];  /* Violation */
 
  /* ... */
  return color;
}

Compliant Solution

This compliant solution defines the acceptable range for color_index as [1, MAX_COLOR_INDEX]:

...

The test for length == 0 ensures that a nonzero number of bytes is allocated. (See MEM04-C. Beware of zero-length allocations.)

Risk Assessment

Failing to enforce the limits on integer values can result in a denial-of-service attack.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT04-C

Low

Probable

High

P2

L3

Related Vulnerabilities

...

Noncompliant Code Example (Heartbleed)

CERT vulnerability 720951 describes a vulnerability in OpenSSL versions 1.0.1 through 1.0.1f, popularly known as "Heartbleed". This vulnerability allows a malicious packet fed to a server using OpenSSL to trick that server into returning up to 64 kilobytes of its internal memory. This memory can contain sensitive information, including cryptographic keys, usernames and passwords.

...

This code processes a 'heartbeat' packet from a client. The p pointer, along with payload and p1 contain data from this packet. The code allocates a buffer sufficient to contain payload bytes, with some overhead, and copies payload bytes starting at p1 into this buffer, and sends it to the client. Notably absent are any checks that payload actually indicates the correct size of the memory. Because an attacker can specify an arbitrary value for payload, she can cause this routine to read and return memory beyond the block allocated to p.The code was patched in

 

Compliant Solution (Heartbleed)

OpenSSL version 1.0.1g

...

contains the following patch, which guarantees that payload is within a valid range:

Code Block
bgColor#ccccff
langc
int dtls1_process_heartbeat(SSL *s) {          
  unsigned char *p = &s->s3->rrec.data[0], *pl;
  unsigned short hbtype;
  unsigned int payload;
  unsigned int padding = 16; /* Use minimum padding */

  // ...

  /* Read type and payload length first */
  if (1 + 2 + 16 > s->s3->rrec.length)
    return 0; /* silently discard */
  hbtype = *p++;
  n2s(p, payload);
  if (1 + 2 + payload + 16 > s->s3->rrec.length)
    return 0; /* silently discard per RFC 6520 se
  pl = p;

  // ...

  if (hbtype == TLS1_HB_REQUEST) {
    unsigned char *buffer, *bp;
    int r;

    /* Allocate memory for the response, size is 1 byte
     * message type, plus 2 bytes payload length, plus
     * payload, plus padding
     */
    buffer = OPENSSL_malloc(1 + 2 + payload + padding);
    bp = buffer;
    /* Enter response type, length and copy payload */
    *bp++ = TLS1_HB_RESPONSE;
    s2n(payload, bp);
    memcpy(bp, pl, payload);
    // ...
  }
  // ...
}

...

 
Risk Assessment
Failing to enforce the limits on integer values can result in a denial-of-service attack.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
INT04-C
Low
Probable
High
P2
L3
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding StandardINT04-CPP. Enforce limits on integer values originating from untrusted sources
ISO/IEC TS 17961Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
...