SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 127

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 128

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Reallocating memory using the realloc() function is a regenerative case of freeing memory. The realloc() function deallocates the old object and returns a pointer to a new object.

Wiki MarkupUsing {{realloc()}} to resize dynamic memory may inadvertently expose sensitive information, or it may allow heap inspection as described in the _Fortify Taxonomy: Software Security Errors_ \ [[Fortify 2006|AA. Bibliography#Fortify 06] \] and NIST's _Source Code Analysis Tool Functional Specification_ \[ [Black 2007|AA. Bibliography#Black 07]\]. When {{realloc()}} is called it may allocate a new, larger object, copy the contents of {{secret}} to this new object, {{free()}} the original object, and assign the newly allocated object to {{secret}}. However, the contents of the original object may remain in memory.

Code Block
bgColor#FFcccc
langc
char *secret;

/* initialize secret */

size_t secret_size = strlen(secret);
/* ... */
if (secret_size > SIZE_MAX/2) {
   /* handle error condition */
}
else {
secret = (char *)realloc(secret, secret_size * 2);
}

...

The calloc() function ensures that the newly allocated memory has also been cleared. Because sizeof(char) is guaranteed to be 1, this solution does not need to check for a numeric overflow as a result of using calloc(). (See recommendation MEM07-C. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t.)

Risk Assessment

...

In practice, this type of [security flaw|BB. Definitions#security flaw] can expose sensitive information to unintended parties. The Sun tarball vulnerability discussed in _Secure Coding Principles & Practices: Designing and Implementing Secure Applications_ \[ [Graf 2003|AA. Bibliography#Graf 03]\] and Sun Security Bulletin #00122 \[ [Sun|AA. Bibliography#Sun] \] shows a violation of this recommendation, leading to sensitive data being leaked. Attackers may also be able to leverage this defect to retrieve sensitive information using techniques such as _heap inspection_.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MEM03-C

medium

unlikely

high

P2

L3

...

Tool

Version

Checker

Description

Section

Klocwork

Include Page
c:Klocwork_Vc:
Klocwork_V
Section

SV.USAGERULES.UNINTENDED_COPY

 

Section

Compass/ROSE

 

 

Section

could detect possible violations of this rule by first flagging any usage of realloc(). Also it could flag any usage of free that isn't preceded by code to clear out the preceding memory, using memset. This heuristic is imperfect, as it flags all possible data leaks, not just leaks of 'sensitive' data, because ROSE can't tell which data is 'sensitive'

...

ISO/IEC TR 24772 "XZK Sensitive Information Uncleared Before Use"

Bibliography

...

\[[Black 2007|AA. Bibliography#Black 07]\] \[[Fortify 2006|AA. Bibliography#Fortify 06]\] \[[Graff 2003|AA. Bibliography#Graf 03]\]
[Fortify 2006]
[Graff 2003]

...

      08. Memory Management (MEM)      MEM04-C. Do not perform zero length allocations