...
Attempting to access an object outside of its lifetime could result in an exploitable vulnerability.
Non-Compliant Code Example (Global Variables)
This non-compliant code example declares the variable p as a pointer to a constant char with file scope. The value of str is assigned to p within the dont_do_this() function. However, str has automatic storage duration so the lifetime of str ends when the dont_do_this() function exits.
...
As a result of this undefined behavior, it is likely that p will refer to the string literal "Surprise, surprise" after the call to the innocuous() function.
Compliant Solution (p with block scope)
In this compliant solution, p is declared with the same scope as str, preventing p from taking on an indeterminate value outside of this_is_OK().
| Code Block | ||
|---|---|---|
| ||
void this_is_OK() {
char const str[] = "Everything OK";
char const *p = str;
/* ... */
}
/* pointer p is now inaccessible outside the scope of string str */
|
Compliant Solution (p with file scope)
If it is necessary for p to be defined with file scope, it can be set to NULL before str is destroyed. This prevents p from taking on an indeterminate value, although any references to p must check for NULL.
| Code Block | ||
|---|---|---|
| ||
char const *p;
void is_this_OK() {
char const str[] = "Everything OK?";
p = str;
/* ... */
p = NULL;
}
|
Non-Compliant Code Example (Return Values)
In this example, the function init_array() incorrectly returns a pointer to a local stack variable.
...
On some compilers, compiling with sufficiently high warning levels will generate a warning when a local stack variable is returned from a function.
Compliant Solution (Return Values)
Correcting this example depends on the intent of the programmer. If the intent is to modify the value of array and have that modification persist outside of the scope of init_array(), then the desired behavior can be achieved by declaring array elsewhere and passing it as an argument to init_array().
| Code Block | ||
|---|---|---|
| ||
int main(int argc, char *argv[]) {
char array[10];
init_array(array);
/* ... */
return 0;
}
void init_array(char array[]) {
/* Initialize array */
return;
}
|
Risk Assessment
Referencing an object outside of its lifetime could result in an attacker being able to run arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL30-C | 3 (high) | 2 (probable) | 1 (high) | P6 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
The Coverity Prevent RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable.
References
| Wiki Markup |
|---|
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.2.4, "Storage durations of objects," and Section 7.20.3, "Memory management functions" |