SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 22

changes.mady.by.user Astha Singhal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

  • Using pointer arithmetic so that the result does not point into or just past the end of the same object
  • Using such pointers in arithmetic expressions
  • Dereferencing pointers that do not point to a valid object in memory
  • Using an array subscript so that the resulting reference does not refer to an element in the array

Wiki MarkupThe C99 standard \ [[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999] \] identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:

UB

Description

Example Code

43

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Out Of Bounds Pointer

44

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The End Pointer, #Using Past The End Index

46

An array subscript is out of range, even if an object is

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="90d21967-f0b6-4925-aa38-ef69b0e69cd3"><ac:plain-text-body><![CDATA[

[46

CC. Undefined Behavior#ub_46]

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

[#Apparently Accessible Out Of Range Index]

]]></ac:plain-text-body></ac:structured-macro>

59

An

59

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By Library Function

...

Noncompliant Code Example (Dereferencing Past The End Pointer)

Wiki MarkupThe following noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the {{GetMachineName()}} function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by {{pwszTemp}} does not contain the backslash character among the first {{MAX_COMPUTERNAME_LENGTH_FQDN + 1}} elements, the final valid iteration of the loop will dereference the past the end pointer resulting in exploitable undefined behavior [44|CC. Undefined Behavior#ub_44]. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million \[[Pethia 2003|AA. Bibliography#Pethia 03]\. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer" and CWE-121, "Stack-based Buffer Overflow."

...

Noncompliant Code Example (Apparently Accessible Out Of Range Index)

Wiki MarkupThe following noncompliant code example declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop, the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range, and the access has undefined behavior [46|CC. Undefined Behavior#ub_46] j reaches the value COLS during the first iteration of the outer loop, the function attempts to access element matrix[0][5]. Since the type of matrix is int[7][5], the j subscript is out of range, and the access has undefined behavior 46.

Code Block
bgColor#ffcccc
langc
static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR30-C

high

likely

high

P9

L2

Automated Detection

Tool

Version

Checker

Description

Section

Coverity Prevent

Include Page
c:Coverity_Vc:
Coverity_V
Section

ARRAY_VS_SINGLETON

Section

can detect the access of memory past the end of a memory buffer/array

Section

Coverity Prevent

Include Page
c:Coverity_Vc:
Coverity_V
Section

NEGATIVE_RETURNS

Section

can detect when the loop bound may become negative

Section

Coverity Prevent

Include Page
c:Coverity_Vc:
Coverity_V
Section

OVERRUN_STATIC OVERRUN_DYNAMIC

Section

can detect the out of bound read/write to array allocated statically or dynamically

Section

Klocwork

Include Page
c:Klocwork_Vc:
Klocwork_V
Section

ABV.ITERATOR SV.TAINTED.LOOP_BOUND

 

Section

Compass/ROSE

 

 

Section

could be configured to catch violations of this rule. The way to catch the NCE is to first hunt for example code that follows this pattern:

Code Block
for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer.

Once this case is handled, we can handle cases like the real NCE, which is effectively the same semantics, just different syntax.

Section

LDRA tool suite

Include Page
c:LDRA_Vc:
LDRA_V
Section

47 S
476 S
64 X
68 X
69 X

Section

Partially Implemented

Related Vulnerabilities

Wiki Markup[CVE-2008-1517|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1517] results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory \ [[xorl 2009|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC 9899:1999 Section 6.7.5.2, "Array declarators"

...

MITRE CWE: CWE-805, "Buffer Access with Incorrect Length Value"

Bibliography

Wiki Markup\[[Finlay 2003|AA. Bibliography#Finlay 03]\] \[[Microsoft 2003|AA. Bibliography#Microsoft 03]\] \[[Pethia 2003|AA. Bibliography#Pethia 03]\] \[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 1, "Running with Scissors" \[[Viega 2005|AA. Bibliography#Viega 05]\] Section ]
[Microsoft 2003]
[Pethia 2003]
[Seacord 2005a] Chapter 1, "Running with Scissors"
[Viega 2005] Section 5.2.13, "Unchecked array indexing" \
[[xorl 2009|AA. Bibliography#xorl 2009] \ ] ["CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]

...

ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer      06. Arrays (ARR)      ARR31-C. Use consistent array notation across all source files