An Every object has a storage duration that determines its lifetime. There are four storage durations: static, thread, automatic, and allocated.
...
Do not attempt to assess an object outside of its lifetime. Attempting to do so is undefined behavior and lead to an exploitable vulnerability. (See also undefined behavior 9 in Appendix J of the C Standard.)
Noncompliant Code Example (
...
Differing Storage Durations)
In this noncompliant code example, the address of local a variable c_str with automatic storage duration is assigned to the variable p, which has static storage duration. The assignment itself is valid, but it is invalid for c_str to go out of scope while p holds its address, as happens at the end of dont_do_this().
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
const char *p;
void dont_do_this(void) {
const char c_str[] = "This will change";
p = c_str; /* Dangerous */
}
void innocuous(void) {
printf("%s\n", p);
}
int main(void) {
dont_do_this();
innocuous();
return 0;
} |
Compliant Solution (
...
Same Storage Durations)
In this compliant solution, p is declared with the same scope storage duration as c_str, preventing p from taking on an indeterminate value outside of this_is_OK():
...
Alternatively, both p and c_str could be declared with static scopestorage duration.
Compliant Solution (Differing
...
Storage Durations)
If it is necessary for p to be defined with static storage duration but c_str with a more limited duration, then p can be set to NULL before c_str is destroyed. This practice prevents p from taking on an indeterminate value, although any references to p must check for NULL.
...
In this noncompliant code sample, the function init_array() returns a pointer to a local stack variablecharacter array with automatic storage duration, which could be accessed by the caller:
...
Some compilers generate a diagnostic message when a pointer to an object with automatic variable storage duration is returned from a function, as in this example. Compile your code at high warning levels and resolve any diagnostic messages. (See MSC00-C. Compile cleanly at high warning levels.)
...
In this noncompliant code sampleexample, the function squirrel_away() stores a pointer to local stack variable local into a location pointed to by function parameter ptr_param. Upon the return of squirrel_away(), the pointer ptr_param points to a variable that has an expired lifetime.
| Code Block | ||||
|---|---|---|---|---|
| ||||
void squirrel_away(char **ptr_param) {
char local[10];
/* Initialize array */
*ptr_param = local;
}
void rodent(void) {
char *ptr;
squirrel_away(&ptr);
/* ptr is live but invalid here */
}
|
Compliant Solution (Output Parameter)
The In this compliant solution, the variable local has static storage duration, so ptr is live and valid in the function ; consequently ptr can be used to reference the local array within the rodent() function:
| Code Block | ||||
|---|---|---|---|---|
| ||||
char local[10];
void squirrel_away(char **ptr_param) {
/* Initialize array */
*ptr_param = local;
}
void rodent(void) {
char *ptr;
squirrel_away(&ptr);
/* ptr is livevalid andin validthis herescope */
}
|
Risk Assessment
Referencing an object outside of its lifetime can result in an attacker being able to run execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL30-C | High | Probable | High | P6 | L2 |
...