Pointer arithmetic in C is a powerful feature when working with many data structures, however it can lead to subtle and hard to spot coding errors. This is due to the importance of context (the type of the pointer in question) which is likely declared outside the pointer arithmetic expression. In the case of bounds checking to determine if there is space in a region of memory, this can lead to buffer overflow vulnerabilities.
Background
Pointer arithmetic is based around the concept of scaling computation to the size of the pointer type. When working with arrays this allows for easily accessing elements.
Exploitable Code due to coding error
Non-Compliant Code Example
This non-compliant code illustrates possible undefined behavior associated with demoting floating point represented numbers.
Code Block | ||
---|---|---|
| ||
int buf[1024]; int *buf_ptr = buf; while (havedata() && buf_ptr < buf + sizeof(buf)) { *buf_ptr = parseint(getdata()); buf_ptr++; } |
While at first look this code appears correct and that it will prevent overflowing the allocated buffer, in fact buf + sizeof(buf) returns a value 3 times further past the end of the buffer, thus allowing overflow.
...
Compliant Code Example
Code Block | ||
---|---|---|
| ||
int buf[1024]; int *buf_ptr = buf; while (havedata() && buf_ptr < (char *)buf + sizeof(buf)) { *buf_ptr = parseint(getdata()); buf_ptr++; } |
...