...
The examples in this rule both reflect the Right Way and the Wrong Way to handle additions reflect both a correct and wrong ways to handle comparisons of numbers representing different things (either single bytes or multibyte data structures). The NCCEs just add the numbers without regard to units, whereas the CCEs use typecasts to convert one number to the appropriate unit of the other number, by using typecasts.
ROSE could catch both NCCE's by searching for pointer arithmetic expressions involving different units. The 'different units' is the tricky part, but one can try to identify an expression's units using some simple heuristics:
- A pointer to a 'foo' object has 'foo' as the unit.
- A pointer to char* has unit 'byte'.
- Any sizeof or offsetof expression also has unit 'byte'.
Wiki Markup Any variable used in an index to an array of foo objects (eg foo\[variable\]) has 'foo' as the unit.
| Wiki Markup |
|---|
In addition to pointer arithmetic expressions, one could also hunt for array index expressions, as array\[index\] is merely shorthand for 'array + index'. But |
programmers will likely be more conscientious about using [] with correct units |
than when using pointer arithmetic. |
Risk Assessment
Failure to understand and properly use pointer arithmetic can allow an attacker to execute arbitrary code.
...