SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 23

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 24

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Using pointer arithmetic so that the result does not point into or just past the end of the same object
  • Using such pointers in arithmetic expressions
  • Dereferencing pointers that do not point to a valid object in memory
  • Using an array subscript so that the resulting reference does not refer to an element in the array

The C99 C standard [ISO/IEC 9899:19992011] identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:

UB

Description

Example Code

43 46

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Forming Out Of -of-Bounds Pointer

44 47

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The the End Pointer, #Using Past The the End Index

46 49

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

#Apparently Accessible Out Of -of-Range Index

59 62

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103 109

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By by Library Function

Anchor
#Formingoutofboundspointer
#FormingoutofboundspointerForming Out Of Bounds PointerForming Out Of Bounds Pointer

Noncompliant Code Example (Forming Out

...

-of-Bounds Pointer)

In the following noncompliant code example the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined 43 46. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.

Code Block
bgColor#ffcccc
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

...

Code Block
bgColor#ccccff
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (0 <= index && index < TABLESIZE)
    return table + index;

  return NULL;
}

...

Another, slightly simpler and potentially more efficient compliant solution is to use an unsigned type to avoid having to check for negative values while still rejecting out-of-bounds positive values of index.

Code Block
bgColor#ccccff
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(size_t index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

Anchor
Dereferencing #Dereferencing Past The the End PointerDereferencing
#Dereferencing Past The the End Pointer

Noncompliant Code Example (Dereferencing Past

...

the End Pointer)

The following noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the GetMachineName() function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1 elements, the final valid iteration of the loop will dereference the past the end pointer, resulting in exploitable undefined behavior 44 47. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer," and CWE-121, "Stack-based Buffer Overflow."

Code Block
bgColor#ffcccc
langc

error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while ( *pwszTemp != L'\\' )
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

...

In the following compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null termination character (L'\0') is discovered, or when the end of the buffer is reached. This code does not result in a buffer overflow, even if no backslash character is found in wszMachineName.

Code Block
bgColor#ccccff
langc

HRESULT GetMachineName(
  wchar_t *pwszPath,
  wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  wchar_t *pwszServerName = wszMachineName;
  wchar_t *pwszTemp = pwszPath + 2;
  wchar_t *end_addr
    = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN;
  while ( (*pwszTemp != L'\\')
     &&  ((*pwszTemp != L'\0'))
     && (pwszServerName < end_addr) )
  {
    *pwszServerName++ = *pwszTemp++;
  }

  /* ... */
}

This compliant solution is for illustrative purposes and is not necessarily the solution implemented by Microsoft. This particular "solution" may not be correct because there is no guarantee that a backslash is found.

Anchor
Using Past The the End Index
Using Past The the End Index

Noncompliant Code Example (Using Past

...

the End Index)

Similarly to the #Dereferencing Past The the End Pointer error, the function insert_in_table() in the following noncompliant code example uses an otherwise valid index to attempt to store a value in an element just past the end of an array.

First, the function incorrectly validates the index pos against the size of the buffer. When the index is equal to size, the function will attempt attempts to store value in a memory location just past the end of the buffer.

Second, when the index is greater than size, the function modifies size before growing the size of the buffer. If the call to realloc() fails to increase the size of the buffer, the next call to the function with a value of pos equal to or greater than the original value of size will again attempt to store value in a memory location just past the end of the buffer or beyond.

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-122, "Heap-based Buffer Overflow," and CWE-129, "Improper Validation of Array Index."

Code Block
bgColor#ffcccc
langc

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int*)realloc(table, sizeof *table * size);
    if (NULL == tmp)
      return -1;

    table = tmp;
  }

  table[pos] = value;
  return 0;
}

...

Code Block
bgColor#ccccff
langc

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size <= pos) {
    int *tmp = (int*)realloc(table, sizeof *table * (pos + 1));
    if (NULL == tmp)
      return -1;   /* indicate failure */

    /* modify size only after realloc succeeds */
    size  = pos + 1;
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

Anchor
Apparently Accessible Out Of -of-Range Index
Apparently Accessible Out Of -of-Range Index

Noncompliant Code Example (Apparently Accessible Out

...

-of-Range Index)

The following noncompliant code example declares matrix to consist of 7 rows and 5 columns in row-major order. The function init_matrix then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, and when the value of j reaches the value COLS during the first iteration of the outer loop, the function attempts to access element matrix[0][5]. Since  Because the type of matrix is int[7][5], the j subscript is out of range, and the access has undefined behavior 46 49.

Code Block
bgColor#ffcccc
langc

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

...

Code Block
bgColor#ccccff
langc

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != ROWS; ++i)
    for (size_t j = 0; j != COLS; ++j)
      matrix[i][j] = x;
}

...

In the following noncompliant code example the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, since function g() does not allocate any storage for the member, the expression first++ in find() will attempt attempts to form a pointer just past the end of buf when there are no elements. This attempt results in undefined behavior 59 62.

Code Block
bgColor#ffcccc
langc

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first++ != last)   /* undefined behavior here */
    if (*first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

...

Code Block
bgColor#ccccff
langc

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first != last)   /* avoid incrementing here */
    if (*++first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

Anchor
Invalid Access By by Library Function
Invalid Access By by Library Function

Noncompliant Code Example (Invalid Access

...

by Library Function)

In the following noncompliant code example, the function f() calls fread() to read nitems of type wchar_t, each size bytes in size, into an array of BUFSIZ elements, wbuf. However, the expression used to compute the value of nitems fails to account for the fact that, unlike the size of char, the size of wchar_t may be greater than 1. Thus, fread() could attempt to form pointers past the end of wbuf and use them to assign values to non-existing nonexisting elements of the array. Such an attempt results in undefined behavior 103 109. A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121, "Access of Memory Location After End of Buffer," and CWE-805, "Buffer Access with Incorrect Length Value."

Code Block
bgColor#ffcccc
langc

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

...

Code Block
bgColor#ccccff
langc

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf / size;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

...

sectioncan sectioncan sectioncan sectionsectioncould the NCE is NCEsectionsection Partially Implemented

Tool

Version

Checker

Description

Section

Coverity Prevent

Include Page
Coverity_V
Coverity_V

ARRAY_VS_SINGLETON

Section

Can detect the access of memory past the end of a memory buffer/array

.

Coverity Prevent

Include Page
Coverity_V
Coverity_V
Section

NEGATIVE_RETURNS

Section

Can detect when the loop bound may become negative

.

Coverity Prevent

Include Page
Coverity_V
Coverity_V
Section

OVERRUN_STATIC
OVERRUN_DYNAMIC

Section

Can detect the out-of-bound read/write to array allocated statically or dynamically

.

Klocwork

Include Page
Klocwork_V
Klocwork_V
Section

ABV.ITERATOR SV.TAINTED.LOOP_BOUND

 

Compass/ROSE

  
Section

Could be configured to catch violations of this rule. The way to catch

the noncompliant code example is to first hunt for example code that follows this pattern:

Code Block
   for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
   *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer.

Once this case is handled, we can handle cases like the real

noncompliant code example, which is effectively the same semantics, just different syntax. 

 

LDRA tool suite

 
Include Page
LDRA_V
LDRA_V
 

47 S
476 S
64 X
68 X
69 X

Section
 Partially implemented.

Related Vulnerabilities

CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC 9899:19992011 Section 6.7.5.2, "Array declarators"

ISO/IEC TR 17961 (Draft) Forming or using out-of-bounds pointers or array subscripts [invptr]

ISO/IEC TR 24772 "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"

...

MITRE CWE: CWE-788, "Access of Memory Location After after End of Buffer"

MITRE CWE: CWE-805, "Buffer Access with Incorrect Length Value"

...

[Finlay 2003]
[Microsoft 2003]
[Pethia 2003]
[Seacord 2005a] Chapter 1, "Running with Scissors"
[Viega 2005] Section 5.2.13, "Unchecked array indexingArray Indexing"
[xorl 2009 ] "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"

...