...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *secret; /* initializeInitialize secret */ char *new_secret; size_t size = strlen(secret); if (size == SIZE_MAX) { /* Handle error */ } new_secret = (char *)malloc(size+1); if (!new_secret) { /* Handle error */ } strcpy(new_secret, secret); /* Process new_secret... */ free(new_secret); new_secret = NULL; |
...
To prevent information leakage, dynamic memory containing sensitive information should be sanitized before being freed. Sanitization is commonly accomplished by clearing the allocated space (that is, filling the space with '\0' characters).
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *secret; /* initializeInitialize secret */ char *new_secret; size_t size = strlen(secret); if (size == SIZE_MAX) { /* Handle error */ } /* useUse calloc() to zero-out allocated space */ new_secret = (char *)calloc(size+1, sizeof(char)); if (!new_secret) { /* Handle error */ } strcpy(new_secret, secret); /* Process new_secret... */ /* sanitizeSanitize memory */ memset_s(new_secret, '\0', size); free(new_secret); new_secret = NULL; |
The calloc() function ensures that the newly allocated memory has also been cleared. Because sizeof(char) is guaranteed to be 1, this solution does not need to check for a numeric overflow as a result of using calloc(). (See MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap.)
See MSC06-C. Be aware Beware of compiler optimization when dealing with sensitive dataoptimizations for a definition and discussion of using the memset_s() function.
...
Reallocating memory using realloc() can have the same problem as freeing memory. The realloc() function de-allocates deallocates the old object and returns a pointer to a new object. Using realloc() to resize dynamic memory may inadvertently expose sensitive information, or it may allow heap inspection, as described in Fortify Taxonomy: Software Security Errors [Fortify 2006] and NIST's Source Code Analysis Tool Functional Specification [Black 2007].
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *secret; /* initializeInitialize secret */ size_t secret_size = strlen(secret); /* ... */ if (secret_size > SIZE_MAX/2) { /* handleHandle error condition */ } else { secret = (char *)realloc(secret, secret_size * 2); } |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
char *secret; /* initializeInitialize secret */ size_t secret_size = strlen(secret); char *temp_buff; /* ... */ if (secret_size > SIZE_MAX/2) { /* handleHandle error condition */ } /* calloc() initializes memory to zero */ temp_buff = (char *)calloc(secret_size * 2, sizeof(char)); if (temp_buff == NULL) { /* Handle error */ } memcpy(temp_buff, secret, secret_size); /* sanitizeSanitize the buffer */ memset((volatile char *)secret, '\0', secret_size); free(secret); secret = temp_buff; /* installInstall the resized buffer */ temp_buff = NULL; |
...
In practice, this type of security flaw can expose sensitive information to unintended parties. The Sun tarball vulnerability discussed in Secure Coding Principles & Practices: Designing and Implementing Secure Applications [Graf 2003] and Sun Security Bulletin #00122 [Sun 1993] shows a violation of this recommendation, leading to sensitive data being leaked. Attackers may also be able to leverage this defect to retrieve sensitive information using techniques such as heap inspection.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM03-C | mediumMedium | unlikelyUnlikely | highHigh | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
| Could detect possible violations of this rule by first flagging any usage of | |||||||
| SV.USAGERULES.UNINTENDED_COPY |
| |||||||
| PRQA QA-C |
| warncall for realloc | Partially implemented |
...