SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Pamela Curtis

Saved on

compared with

New Version 10

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Wiki Markup
The readlink() function reads where a link points

...

Non-Compliant Code Example

readlink() never 0-terminates by itself, so you have to do it by yourself. People often seem to forget this, leading to infoleaks or sometimes memory corruption. Another thing people like to do is

Code Block
bgColor#FFcccc

len = readlink(link to. It is unusual, as makes no effort to null terminate its second argument, {{buffer}}. Instead, it just returns the number of characters it has written.

h2. Non-Compliant Coding Example

If {{len}} is equal to {{sizeof(buf)}}, the null terminator will be written one byte past the end of {{buf}}.

{code:bgColor=#FFcccc}
char buf[256];
ssize_t len = readlink("/usr/bin/perl", buf, sizeof(buf));
buf[len] = '\0';

...


{code}

A simple (but incorrect) solution to this problem is to try to make {{buf}} large enough that it can always hold the result:

{code bgColor=#ffcccc}
char buf[PATH_MAX+1];
ssize_t len = readlink("/usr/bin/perl", buf, sizeof(buf));
buf[len] = '\0';
{code}

This "fix" incorrectly assumes that {{PATH_MAX}} represents the longest possible path for a file in the filesystem. ({{PATH_MAX}} only bounds the longest possible relative path that can be passed to the kernel in a single call.) On most Unix and Linux systems, there is no easily-determined maximum length for a file path, and so the off-by-one buffer overflow risk is still present.

An additional issue is that {{readlink()}} can return {{-1}} if it fails, causing an off-by-one

...

Compliant Solution

Code Block
bgColor#ccccff

#include <unistd.h>

underflow.

h2. Compliant Solution

{code:bgColor=#ccccff}
char buf[1024256];
ssizet_t len;
...
if ((len = readlink("/modulesusr/bin/pass1perl", buf, sizeof(buf)-1)) != -1)
    buf[len] = '\0';

References

...


else {
   /* handle error condition */
}
{code}

h2. Risk Analysis

|| Rule || Severity || Likelihood || Remediation Cost || Priority || Level ||
| POS30-C | *1* (low) | *2* (probable) | *2* (medium) | {color:green}{*}P4{*}{color} | {color:green}{*}L3{*}{color} |

h2. References

\[[ilja 06|AA. C References#ilja 06]\]
\[[Open Group 97|AA. C References#Open Group 97]\]
\[[Open Group 04|AA. C References#Open Group 04]\]