...
Only use signed char and unsigned char types for the storage and use of numeric values.
Non-Compliant Code Example
This non-compliant code example is taken from an actual vulnerability in bash versions 1.14.6 and earlier that resulted in the release of CERT Advisory CA-1996-22. This vulnerability resulted from the declaration of the string variable in the yy_string_get() function as char * in the parse.y module of the bash source code:
...
The string variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type int. For compilers in which the char type defaults to signed char, this value is sign-extended when assigned to the int variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value -1 being assigned to the integer which is indistinguishable from the EOF integer constant expression.
Compliant Solution
This problem is easily repaired by explicitly declaring the string variable as unsigned char.
| Code Block | ||
|---|---|---|
| ||
static int yy_string_get() {
register unsigned char *string;
register int c;
string = bash_input.location.string;
c = EOF;
/* If the string doesn't exist, or is empty, EOF found. */
if (string && *string) {
c = *string++;
bash_input.location.string = string;
}
return (c);
}
|
Risk Assessment
This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilities.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT07-A | 2 (medium) | 2 (probable) | 2 (medium) | P8 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.5, "Types" |