SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 10

changes.mady.by.user Martin Sebor

Saved on

compared with

New Version 11

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added an example of using a past the end index and CWE references.

...

Wiki Markup
The C99 standard \[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\] identifies four distinct situations in which undefined behavior (UB) may arise as a result of invalid pointer operations:

UB

Description

Example Code

43

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Out Of Bounds Pointer

44

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The End Pointer, #Using Past The End Index

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="62cc8afa89b0c37a-8f7ae7a6-481144a5-a6ceb6f9-10ba1c45ea73607f5c10e670"><ac:plain-text-body><![CDATA[

[46

CC. Undefined Behavior#ub_46]

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

[#Apparently Accessible Out Of Range Index]

]]></ac:plain-text-body></ac:structured-macro>

59

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By Library Function

...

Wiki Markup
The noncompliant code example below shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm.  The error is that the while loop in the {{GetMachineName()}} function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by {{pwszTemp}} does not contain the backslash character among the first {{MAX_COMPUTERNAME_LENGTH_FQDN + 1}} elements the final valid iteration of the loop will dereference the past the end pointer resulting in exploitable undefined behavior [44|CC. Undefined Behavior#ub_44]. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million \[[Pethia 03|AA. References#PethiaBibliography#Pethia 03]\].

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer and CWE-121: Stack-based Buffer Overflow].

...

Wiki Markup
\[[ISO/IEC 9899:1999|AA. References#ISOBibliography#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators"
\[[ISO/IEC PDTR 24772|AA. References#ISOBibliography#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-119|http://cwe.mitre.org/data/definitions/119.html]: Failure to Constrain Operations within the Bounds of a Memory Buffer
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-121|http://cwe.mitre.org/data/definitions/121.html]: Stack-based Buffer Overflow
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-122|http://cwe.mitre.org/data/definitions/122.html]: Heap-based Buffer Overflow
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-129|http://cwe.mitre.org/data/definitions/129.html]: Unchecked Array Indexing
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-788|http://cwe.mitre.org/data/definitions/788.html]: Access of Memory Location After End of Buffer
\[[CWE|AA. References#CWEBibliography#CWE]\] [CWE-805|http://cwe.mitre.org/data/definitions/805.html]: Buffer Access with Incorrect Length Value
\[[Finlay 03|AA. References#FinlayBibliography#Finlay 03]\]
\[[Microsoft 03|AA. References#MicrosoftBibliography#Microsoft 03]\]
\[[Pethia 03|AA. References#PethiaBibliography#Pethia 03]\]
\[[Seacord 05a|AA. References#SeacordBibliography#Seacord 05]\] Chapter 1, "Running with Scissors"
\[[Viega 05|AA. References#ViegaBibliography#Viega 05]\] Section 5.2.13, "Unchecked array indexing"
\[[xorl 2009|AA. References#xorlBibliography#xorl 2009] \] ["CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]

...