...
| Code Block | ||
|---|---|---|
| ||
int main(int argc, const char *argv[]) {
char *buff;
buff = (char *)malloc(BUFFERSIZE);
if (!buff) {
/* Handle error condition */
}
/* ... */
strncpy(buff, argv[1], BUFFERSIZE-1);
/* ... */
free(buff);
}
|
Noncompliant Code Example
| Wiki Markup |
|---|
In this noncompliant example ([CVE-2009-1364|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1364]) from {{libwmf}} version 0.2.8.4, the return value of {{gdRealloc}} (a simple wrapper around {{realloc}} which reallocates space pointed to by {{im->clip->list}}) is set to {{more}}. However, the value of {{im->clip->list}} is used directly afterwards in the code, and the C Standard specifies that if {{realloc}} moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient {{im->clip->count}}) and accessing freed memory \[[xorl 2009|AA. C References#xorl 2009-1364/]\]. |
| Code Block | ||
|---|---|---|
| ||
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return; //if the realloc fails, then we have not lost the im->clip->list value
im->clip->max += 8;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
Compliant Solution
The compliant solution simply reassigns im->clip->list to the value of more after the call to realloc.
| Code Block | ||
|---|---|---|
| ||
void gdClipSetAdd(gdImagePtr im,gdClipRectanglePtr rect) {
gdClipRectanglePtr more;
if (im->clip == 0) {
...
}
if (im->clip->count == im->clip->max) {
more = gdRealloc (im->clip->list,(im->clip->max + 8) *
sizeof (gdClipRectangle));
if (more == 0) return;
im->clip->max += 8;
im->clip->list = more;
}
im->clip->list[im->clip->count] = (*rect);
im->clip->count++;
|
Risk Assessment
Reading memory that has already been freed can lead to abnormal program termination and denial-of-service attacks. Writing memory that has already been freed can lead to the execution of arbitrary code with the permissions of the vulnerable process.
...
Klocwork Version 8.0.4.16 can detect violations of this rule with the UFM.DEREF.MIGHT, UFM.DEREF.MUST, UFM.FFM.MIGHT, UFM.FFM.MUST, UFM.PARAMPASS.MIGHT, UFM.PARAMPASS.MUST, UFM.RETURN.MIGHT, UFM.RETURN.MUST, UFM.USE.MIGHT, and UFM.USE.MUST checkers.
Related Vulnerabilities
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
...