SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 9

changes.mady.by.user Alex Volkovitsky

Saved on

compared with

New Version 10

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
Many library functions takeaccept pointers as arguments. If the function dereferences an invalid pointer (see [EXP34-C. Ensure a null pointer passed is not dereferenced]), or reads or writes to a librarypointer functionthat does not refer to validan memoryobject, the results are [undefined|BB. Definitions#undefined] (see [EXP34-C. Ensure a null pointer is not dereferenced]). Typically the program will terminate abnormally when the invalid pointer is dereferenced, but it is possible, and quite common, for an invalid pointer to be dereferenced, and its memory changed, without abnormal termination \[[Jack 07|AA. C References#Jack 07]\]. Such programs can be very difficult to debug due to the difficulty of determining the pointer's lack of validity.

...

As you can see, the invalid() function is not perfect; it only identifies null pointers and pointers to functions as invalid.

Non-Compliant Code Example

This function increments the value pointed to by its argument. It also ensures that its argument is not a null pointer. But the pointer could still be invalid, causing the function to corrupt memory, or possibly terminate abnormally.

Code Block
bgColor#FFCCCC
void incr(int *intptr) {
  if (intptr == NULL) {
    /* handle error */
  }
  *intptr++;
}

Compliant Solution

By using the invalid() function defined above, the function is less likely to modify memory outside its bounds.

Code Block
bgColor#ccccff
void incr(int *intptr) {
  if (invalid( intptr)) {
    /* handle error */
  }
  *intptr++;
}

Compliant Solution (assert)

Since invalid pointers are often indicative of a bug in the program, one can use the assert() macro to terminate immediately if an invalid pointer is discovered (see MSC11-A. Incorporate diagnostic tests using assertions).

Code Block
bgColor#ccccff
#include <assert.h>

void incr(int *intptr) {
  assert(!invalid( intptr));
  *intptr++;
}

Risk Assessment

A pointer validation library can be used to identify and so prevent the execution of vulnerable code.

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM10-A

high

unlikely

high

P3

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[Jack 07|AA. C References#Jack 07]\]
\[[van Sprundel 06|AA. C References#van Sprundel 06]\]

...