SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 78

changes.mady.by.user Aaron Ballman

Saved on

compared with

New Version 79

changes.mady.by.user Aaron Ballman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

C library functions that make changes to arrays or objects usually take at least two arguments: a pointer to the array or object and an integer indicating the number of elements or bytes to be manipulated. If the arguments are supplied improperly during such a function call, the function may cause the pointer to not point to the object at all or to point past the end of the object, leading to undefined behavior.

Definitions

The C Secure Coding Rules Technical Specification [ISO/IEC TS 17961] defines the following terms:

Given an integer expression E, the derived type T of E is determined as follows:

  • if E is a sizeof expression then T is the type of the operand of the expression,
  • otherwise, if E is an identifier, then T is the derived type of the expression last used to store a value in E,
  • otherwise, if the derived type of each of E's subexpressions is the same, then T is that type,
  • otherwise, the derived type is an unspecified character type compatible with any of char, signed char, and unsigned char.

EXAMPLE For the following declarations:

Code Block
langc
double a[40];
size_t n0 = sizeof (int);
size_t n1 = 256;
size_t n2 = sizeof a / sizeof (*a);

the derived type of n0 is int, and the derived type of n1 and n2 is a (hypothetical) unspecified character type that is compatible with any of char, signed char, and unsigned char.

Consider the following code:

Code Block
int val;
int arr[ARR_SIZE];
size_t c1 = sizeof (val);
size_t c2 = sizeof (arr) / sizeof (val);
size_t c3 = sizeof (arr) / sizeof (*arr);

The derived type for c1 and c2 is int, because both subexpressions have the same type. The derived type for c3 is an unspecified character type compatible with any of char, signed char, and unsigned char.

Expresses either the size of an object with an effective type, or the number of bytes allocated for such an object.

For an object with an effective type T the effective size of the object is the result of the sizeof(T) expression. For an object with no effective type (for example, an object for which space has just been allocated by a call to malloc(N)), the effective size is the number of bytes allocated for it (that is, N).

EXAMPLE 1 The effective size of *p refers to the effective size of the object or space referenced by p minus the offset of p from the beginning of the space or object, respectively.

EXAMPLE 2 For the following declarations

Code Block
langc
int a[5];
void *p = a + 2;

the effective size of *p is equal to sizeof(a - 2) * sizeof(*a), or 12 when sizeof(int) is 4.

The effective size of a pointer is the size of the object to which it points.

In the following code,

Code Block
int arr[5];
int *p = arr;

the effective size of the pointer p is sizeof(arr), that is, 5*sizeof(int).

The effective type of an object is defined as either its declared type or (if its type isn't declared) the effective type of the value assigned to it.

Consider the following code:

Code Block
char *p;
void *q;
q = obj;

In this example, the effective type of p is char. The type of q's type is not declared, but it is later assigned obj. The effective type of q is therefore equal to the effective type of obj.

Standard Library Functions

For the purposes of this rule, the effective size of a pointer is the size of the object to which it points, expressed by the number of elements which are valid to access.

In the following code,

Code Block
int arr[5];
int *p = arr;

unsigned char *p2 = (unsigned char *)arr;
unsigned char *p3 = arr + 2;
void *p4 = arr;

the effective size of the pointer p is sizeof(arr) / sizeof(*arr), that is, 5.  The effective size of the pointer p2, is sizeof(arr), that is, 20 (on platforms where sizeof(int) == 4).  The effective size of the pointer p3 is 12 (on platforms where sizeof(int) == 4), because p3 points two elements past the start of the array arr.  The effective size of p4 is treated as though it were unsigned char * instead of void *, and so is the same as p2.

To guarantee that a standard library function does not construct an out-of-bounds pointer, programmers must heed the following rules when using functions that operate on pointed-to regions:

  • Always express the integer size in terms of the effective size expected by the function.
    • Eg) memcpy() expects the effective size expressed in terms of void *, but wmemcpy() expects the effective size expressed in terms of wchar_t *.
  • For calls that take a pointer and an integer size, the given size should not be greater than the effective size of the pointer.
  • For calls that take a two pointers and an integer size, the given size should not be greater than the effective size of either pointer.
  • For calls that take a pointer and two integers, generally accept one integer representing the size of an individual object, and a second integer representing the number of objects in the array.  The resulting product of the two integers should not be greater than the effective size of the pointer were it expressed as an unsigned char *.   See INT30-C. Ensure that unsigned integer operations do not wrap for more information.
  • For standard memory allocation functions, the size (possibly scaled, as in the case of calloc()) should not be less than the desired effective size of the object being allocated were it expressed as an unsigned char *.  See MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap for more information about calloc().

Standard Library Functions

The following Following are lists of C library functions to which this rule applies.

Library Functions That Take a Pointer and Integer

The following standard library functions take a pointer argument and a size argument, with the constraint that the pointer must point to a valid memory object of at least the number of bytes or wide characters (as appropriate) indicated by the size argument.

fgets()fgetws()mbstowcs()1wcstombs()1
mbrtoc16()2mbrtoc32()2mbsrtowcs()1wcsrtombs()1
mbtowc()2mbrtowc()1mblen()mbrlen()
memchr()wmemchr()memset()wmemset()
strftime()wcsftime()strxfrm()1wcsxfrm()1
strncat()2 wcsncat()2snprintf()vsnprintf()
swprintf()vswprintf()setvbuf()tmpnam_s()
snprintf_s()sprintf_s() vsnprintf_s()vsprintf_s()
gets_s() getenv_s()wctomb_s()mbstowcs_s()3
wcstombs_s()3memcpy_s()3memmove_s()3strncpy_s()3
strncat_s()3strtok_s()2strerror_s()strnlen_s()
asctime_s()ctime_s()snwprintf_s()swprintf_s()
vsnwprintf_s()vswprintf_s()wcsncpy_s()3wmemcpy_s()3
wmemmove_s()3wcsncat_s()3wcstok_s()2wcsnlen_s()
wcrtomb_s()mbsrtowcs_s()3wcsrtombs_s()3 memset_s()4

1 Takes two pointers and an integer, but the integer only specifies the length of the output buffer. not the input buffer.
2 Takes two pointers and an integer, but the integer only specifies the length of the input buffer, not the output buffer.
3 Takes two pointers and two integers; each integer corresponds to the length of one of the pointers.
4 Takes a pointer and two size-related integers; the first size-related integer parameter specifies the size of the buffer, the second size-related integer parameter specifies the number of bytes to write within the buffer.

Library Functions That Take Two Pointers and an Integer

The following standard library functions take two pointer arguments and a size argument, with the constraint that both pointers must point to valid memory objects of at least the number of bytes or wide characters as appropriate, indicated by the size argument.

memcpy()wmemcpy()memmove()wmemmove()
strncpy()wcsncpy()memcmp()wmemcmp()
strncmp()wcsncmp()strcpy_s()wcscpy_s()
strcat_s()wcscat_s()  

 Library Library Functions That Take a Pointer and Two Integers

The following standard library functions take a pointer argument and two size arguments, with the constraint that the pointer must point to a valid memory object containing at least as many bytes as the product of the two size arguments.

bsearch()bsearch_s()qsort()qsort_s()
fread()fwrite()memset_s()1  

1 Takes a pointer and two size-related integers; the first size-related integer parameter specifies the size of the buffer, the second size-related integer parameter specifies the number of bytes to write within the buffer.

Standard Memory Allocation Functions

The following are the standard memory allocation functions that take a size integer argument and return a pointer.

aligned_alloc()

calloc() 

malloc()

realloc() 

Description

To guarantee that a library function does not construct an out-of-bounds pointer, programmers must heed the following rules when using functions that operate on pointed-to regions. These rules assume that func is a function, p and q are pointers, and n is an integer.

...

...

Noncompliant Code Example

...

Code Block
bgColor#ccccff
#include <stdlib.h>
#include <string.h>
 
void f1(size_t nchars, size_t val) {
  char *p = (char *)malloc(nchars);
  const size_t n = valnchars;

  if (nchars < n) {
    /* Handle error */
  } else {
    memset(p, 0, n);
  }
}

Noncompliant Code Example

In this noncompliant code example, the effective type of *p is float, and the derived type of the expression n is int. This is calculated using the first rule from TS 17961's definition of derived types (see Section 4, "Definitions" [ISO/IEC TS 17961]). Because n contains the result of a sizeof expression, its derived type is equal to the type of the operand, which is intsize of the array a is ARR_SIZE elements.  Because memset expects a byte count, the size of the array is scaled incorrectly by sizeof(int) instead of sizeof(float), which can form an invalid pointer on architectures where sizeof(int) != sizeof(float).

Code Block
bgColor#FFcccc
#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(int) * ARR_SIZE;
  void *p = a;

  memset(p, 0, n);
}

...

Compliant Solution
In this compliant solution, the derived type of n is also float:effective size required by memset is properly calculated without resorting to scaling.
 Code Block
bgColor#ccccff
#include <string.h>
 
void f2() {
  const size_t ARR_SIZE = 4;
  float a[ARR_SIZE];
  const size_t n = sizeof(float) * ARR_SIZEa);
  void *p = a;

  memset(p, 0, n);
}

...
In this noncompliant code example, the size of n could be greater than the size of *p. Also, the effective type of *p (int) is different from the effective type of *q (float).
 Code Block
bgColor#FFcccc
#include <string.h>
 
void f3(int *a) {
  float b = 3.14;
  const size_t n = sizeof(b);
  void *p = a;
  void *q = &b;

  memcpy(p, q, n);
}

Although it is noncompliant, this code does not constitute a vulnerability on implementations where sizeof(int) is equal to sizeof(float).
Compliant Solution
This compliant solution ensures that the value of n is not greater than the minimum of the effective sizes of *p and *q and that the effective types of the two pointers are identical (float):
 Code Block
bgColor#ccccff
#include <string.h>
 
void f3(float *a, size_t val) {
  float b = 3.14;
  const size_t n = val;
  void *p = a;
  void *q = &b;

  if( (n > sizeof(a)) || (n > sizeof(b)) ) {
    /* Handle error */
  } else {
    memcpy(p, q, n);
  }
}

Noncompliant Code Example
In this noncompliant code example, the value of n is greater than the size of T, that is, sizeof(wchar_t). But the derived type of expression n (wchar_t *) is not the same as the type of T because its derived type will be equal to the type of p, which is wchar_t*. The derived type of n is calculated using the first rule from TS 17961's definition of derived types (see Section 4, "Definitions" [ISO/IEC TS 17961]). Because n here is a sizeof expression, its derived type is equal to the type of the operand (p), which is wchar_t *value for n is calculated based on the size of a pointer instead of the size of a wchar_t.
 Code Block
bgColor#FFcccc
#include <stdlib.h>
#include <wchar.h>
 
wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(p) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t *) malloc(n);
  return q;
}

Compliant Solution
This compliant solution ensures that the derived type of n (wchar_t) is the same as the type of T (wchar_t) and that the value of n is not less than the size of T is calculated based on the proper type:
 Code Block
bgColor#ccccff
#include <stdlib.h>
#include <wchar.h>
 
wchar_t *f4() {
  const wchar_t *p = L"Hello, World!";
  const size_t n = sizeof(wchar_t*p) * (wcslen(p) + 1);

  wchar_t *q = (wchar_t *) malloc(n);
  return q;
}

Noncompliant Code Example
In this noncompliant example, a diagnostic is required because the value of n is not computed correctly, allowing a possible write past the end of the object referenced by p:
 Code Block
bgColor#FFcccc
#include <string.h>
 
void f4(char p[], const char *q) {
  const size_t n = sizeof(p); 
  if ((memcpy(p, q, n)) == p) {  /* Violation */
  }
}

Compliant Solution
This compliant solution ensures that n is equal to the size of the character array:
...
Related Guidelines
C Secure Coding StandardAPI00-C. Functions should validate their parameters
INT30-C. Ensure that unsigned integer operations do not wrap
MEM07-C. Ensure that the arguments to calloc(), when multiplied, do not wrap
ISO/IEC TS 17961Forming invalid pointers by library functions [libptr]
...