SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 69

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 70

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

In this noncompliant code example, length is the value of a user-defined (and thus potentially untrusted) environment variable whose value is used to determine the size of a dynamically allocated array, table. In compliance with INT30-C. Ensure that unsigned integer operations do not wrap, the code prevents unsigned integer wrapping but it doesn't impose any upper bound on the size of the array, making it possible for the user to cause the program to use an excessive amount of memory.

Code Block
bgColor#ffcccc
langc

char** create_table(void) {
  const char* const lenstr = getenv("TABLE_SIZE");
  const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0;

  if (length > SIZE_MAX / sizeof(char *))
    return NULL;   /* indicate error to caller */

  const size_t table_size = length * sizeof(char *);
  char** const table = (char **)malloc(table_size);

  if (table == NULL)
    return NULL;   /* indicate error to caller */

  /* initialize table... */
  return table;
}

...

This compliant solution defines the acceptable range for length as [1, MAX_TABLE_LENGTH]. The length parameter is declared as size_t, which is unsigned by definition. Consequently, it is not necessary to check length for negative values. (See recommendation INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.)

Code Block
bgColor#ccccff
langc

enum { MAX_TABLE_LENGTH = 256 };

char** create_table(void) {
  const char* const lenstr = getenv("TABLE_SIZE");
  const size_t length = lenstr ? strtoul(lenstr, NULL, 10) : 0;

  if (length == 0 || length > MAX_TABLE_LENGTH)
    return NULL;   /* indicate error to caller */

  const size_t table_size = length * sizeof(char *);
  char** const table = (char **)malloc(table_size);

  if (table == NULL)
    return NULL;   /* indicate error to caller */

  /* initialize table... */
  return table;
}

The test for length == 0 ensures that a nonzero number of bytes is allocated. (See recommendation MEM04-C. Do not perform zero length allocations.)

...

CERT C++ Secure Coding Standard: INT04-CPP. Enforce limits on integer values originating from untrusted sources

ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] 

Bibliography

[Seacord 2005a] Chapter 5, "Integer Security"

...