SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 26

changes.mady.by.user David Svoboda

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
bgColor#FFCCCC
langc
int (*log_fn)(const char *, ...) = printf;
/* ... */
log_fn("foo");

If a vulnerability exists in this program that allows an attacker to overwrite the log_fn function pointer, such as a buffer overflow or arbitrary memory write, the attacker may be able to overwrite the value of printf with the location of an arbitrary function.
...
 Code Block
bgColor#ccccff
langc
#include <Windows.h>
 
void *log_fn = EncodePointer(printf);
/* ... */
int (*fn)(const char *, ...) = (int (*)(const char *, ...))DecodePointer(log_fn);

fn("foo");
Note that DecodePointer() does not return success or failure.  If an attacker has overwritten the pointer contained in log_fn, the pointer returned will be invalid and cause your application to crash.  However, this is preferable to giving an attacker the ability to execute arbitrary code. 
...
SEI CERT C++ Coding StandardMSC16-CPP. Consider encrypting function pointers
MITRE CWECWE-311, Missing encryption of sensitive data
Bibliography
[MSDNAA. Bibliography#MSDN]EncodePointer()
DecodePointer()
Microsoft Corporation 2012
Microsoft Security Development Lifecycle (SDL) – version 5.2Phase 3: Implementation
 
...
  Image Modified