...
Uninitialized automatic variables or dynamically allocated memory has has indeterminate values, which for objects of some types can be a trap representation. Reading uninitialized memory such trap representations is undefined behavior (see undefined behavior 10 and undefined behavior 12); it can cause a program to behave in an unexpected manner and provide an avenue for attack. In many cases, compilers issue a warning diagnostic message when reading uninitialized variables . See (see MSC00-C. Compile cleanly at high warning levels for more information).
Noncompliant Code Example (Return-by-Reference)
...
The realloc() function changes the size of a dynamically allocated memory object. The initial size bytes of the returned memory object are unchanged, but any newly added space is uninitialized, and its value is indeterminate. As in the case of malloc(), accessing memory beyond the size of the original object results in is undefined behavior 181.
It is the programmer's responsibility to ensure that any memory allocated with malloc() and realloc() is properly initialized before it is used.
In this noncompliant code example, an array is allocated with malloc() and properly initialized. At a later point, the array is grown to a larger size but not initialized beyond what the original array contained. Subsequently , accessing the uninitialized bytes in the new array results in is undefined behavior.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
#include <stdio.h>
enum { OLD_SIZE = 10, NEW_SIZE = 20 };
int *resize_array(int *array, size_t count) {
if (0 == count) {
return 0;
}
int *ret = (int *)realloc(array, count * sizeof(int));
if (!ret) {
free(array);
return 0;
}
return ret;
}
void func(void) {
int *array = (int *)malloc(OLD_SIZE * sizeof(int));
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < OLD_SIZE; ++i) {
array[i] = i;
}
array = resize_array(array, NEW_SIZE);
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < NEW_SIZE; ++i) {
printf("%d ", array[i]);
}
} |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
enum { OLD_SIZE = 10, NEW_SIZE = 20 };
int *resize_array(int *array, size_t old_count,
size_t new_count) {
if (0 == new_count) {
return 0;
}
int *ret = (int *)realloc(array, new_count * sizeof(int));
if (!ret) {
free(array);
return 0;
}
if (new_count > old_count) {
memset(ret + old_count, 0, (new_count - old_count) * sizeof(int));
}
return ret;
}
void func(void) {
int *array = (int *)malloc(OLD_SIZE * sizeof(int));
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < OLD_SIZE; ++i) {
array[i] = i;
}
array = resize_array(array, OLD_SIZE, NEW_SIZE);
if (0 == array) {
/* Handle error */
}
for (size_t i = 0; i < NEW_SIZE; ++i) {
printf("%d ", array[i]);
}
} |
...
CVE-2009-1888 results from a violation of this rule. Some versions of SAMBA (up to 3.3.5) call a function that takes in two potentially uninitialized variables involving access rights. An attacker can exploit this these coding errors to bypass the access control list and gain access to protected files [xorl 2009].
...
| [Flake 2006] | |
| [ISO/IEC 9899:2011] | 6.7.9, "Initialization" 6.2.6.1, "General" 6.3.2.1, "Lvalues, Arrays, and Function Designators" |
| [Mercy 2006] | |
| [VU#925211] | |
| [Wang 2012] | "More Randomness or Less" |
| [xorl 2009] | "CVE-2009-1888: SAMBA ACLs Uninitialized Memory Read" |
...