SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 2

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 3

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Wiki Markup
Verifiably in range operations are often preferable to treating out of range values as an error condition because the handling of these errors has been repeatedly shown to cause denial-of-service problems in actual applications. The quintessential example of this is the failure of the Ariane 5 launcher which occurred due to an improperly handled conversion error resulting in the processor being shutdown \[Lions 96\].

Faced with an integer overflow, the underlying computer system may do one of two things: (a) signal some sort of error condition, or (b) produce an integer result that is within the range of representable integers on that system. The latter semantics may be preferable in some situations in that it allows the computation to proceed, thus avoiding a denial-of-service attack. However, it raises the question of what integer result to return to the user.

Below is set out definitions of two algorithms that produce integer results that are always within a defined range, namely between the integer values MIN and MAX (inclusive), where MIN and MAX are two representable integers with MIN < MAX. This method of producing integer results is called Verifiably-in-Range Integers. The two algorithms are Saturation and Modwrap, defined in the following two subsections.

Saturation Semantics

For saturation semantics, assume that the mathematical result of the computation is result. The value actually returned to the user is set out in the following table:

range of mathematical result

result returned

MAX < result

MAX

MIN <= result <= MAX

result

result < MIN

MIN

Modwrap Semantics

Wiki Markup
Modwrap semantics is where the integer values "wrap round" (also called _modulo_ arithmetic).  That is, adding one to {{MAX}} produces {{MIN}}.  This is the defined behavior for unsigned integers in the C Standard \[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] (see Section 6.2.5, "Types", paragraph 9) and, very often, is the behavior of signed integers also.  However, in many applications, it would be more sensible to use saturation semantics rather than modwrap semantics.  For example, in the computation of a size (using unsigned integers), it is often better for the size to stay at the maximum value in the event of overflow, rather than suddenly becoming a very small value.

Risk Assessment

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

INT08-A

2 (medium)

2 (probable)

1 (high)

P4

L3

...