...
In this noncompliant code example, length
is the value of a user-defined (and thus potentially untrusted) environment variable whose value is used to determine the size of a dynamically allocated array, table
. In compliance with INT30-C. Ensure that unsigned integer operations do not wrap, the code prevents unsigned integer wrapping but doesn't impose any upper bound on the size of the array, making it possible for the user to cause the program to use an excessive amount of memory.
...
This compliant solution defines the acceptable range for length
as [1, MAX_TABLE_LENGTH]
. The length
parameter is declared as size_t
, which is unsigned by definition. Consequently, it is not necessary to check length
for negative values. (See INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.)
Code Block | ||||
---|---|---|---|---|
| ||||
enum { MAX_TABLE_LENGTH = 256 }; char** create_table(void) { const char* const lenstr = getenv("TABLE_SIZE"); const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0; if (length == 0 || length > MAX_TABLE_LENGTH) return NULL; /* indicate error to caller */ const size_t table_size = length * sizeof(char *); char** const table = (char **)malloc(table_size); if (table == NULL) return NULL; /* indicate error to caller */ /* initialize table... */ return table; } |
The test for length == 0
ensures that a nonzero number of bytes is allocated. (See MEM04-C. Do not perform zero-length allocations.)
Risk Assessment
...
ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
Bibliography
[Seacord 2005a] Chapter 5, "Integer Security"
...