SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 112

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 113

changes.mady.by.user Andrew Keeton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updated [NIST 06b] with [Black 07]

...

In this example, sensitive information stored in the dynamically allocated memory referenced by secret is copied to the dynamically allocated buffer, new_secret, which is processed and eventually deallocated by a call to free(). Because the memory is not cleared, it may be reallocated to another section of the program where the information stored in new_secret may be unintentionally leaked.

Code Block
bgColor#FFcccc

char *secret;

/* initialize secret */

char *new_secret;
size_t size = strlen(secret);
if (size == SIZE_MAX) {
  /* Handle error */
}

new_secret = (char *)malloc(size+1);
if (!new_secret) {
  /* Handle error */
}
strcpy(new_secret, secret);

/* Process new_secret... */

free(new_secret);
new_secret = NULL;

...

To prevent information leakage, dynamic memory containing sensitive information should be sanitized before being freed. This is commonly accomplished by clearing the allocated space (that is, filling the space with '\0' characters).

Code Block
bgColor#ccccff

char *secret;

/* initialize secret */

char *new_secret;
size_t size = strlen(secret);
if (size == SIZE_MAX) {
  /* Handle error */
}

/* use calloc() to zero-out allocated space */
new_secret = (char *)calloc(size+1, sizeof(char));
if (!new_secret) {
  /* Handle error */
}
strcpy(new_secret, secret);

/* Process new_secret... */

/* sanitize memory  */
memset_s(new_secret, '\0', size);
free(new_secret);
new_secret = NULL;

...

Wiki Markup
Using {{realloc()}} to resize dynamic memory may inadvertently expose sensitive information, or it may allow heap inspection as described in the _Fortify Taxonomy: Software Security Errors_ \[[Fortify 06|AA. C References#Fortify 06]\] and NIST's _Source Code Analysis Tool Functional Specification_ \[[NISTBlack 06b07|AA. C References#NISTReferences#Black 06b07]\]. When {{realloc()}} is called it may allocate a new, larger object, copy the contents of {{secret}} to this new object, {{free()}} the original object, and assign the newly allocated object to {{secret}}. However, the contents of the original object may remain in memory.

Code Block
bgColor#FFcccc

char *secret;

/* initialize secret */

size_t secret_size = strlen(secret);
/* ... */
if (secret_size > SIZE_MAX/2) {
   /* handle error condition */
}
else {
secret = (char *)realloc(secret, secret_size * 2);
}

...

A compliant program cannot rely on realloc() because it is not possible to clear the memory prior to the call. Instead, a custom function must be used that operates similar to realloc() but sanitizes sensitive information as heap-based buffers are resized. Again, this is done by overwriting the space to be deallocated with '\0' characters.

Code Block
bgColor#ccccff

char *secret;

/* initialize secret */

size_t secret_size = strlen(secret);
char *temp_buff;
/* ... */
if (secret_size > SIZE_MAX/2) {
   /* handle error condition */
}
/* calloc() initializes memory to zero */
temp_buff = (char *)calloc(secret_size * 2, sizeof(char));
if (temp_buff == NULL) {
 /* Handle error */
}

memcpy(temp_buff, secret, secret_size);

/* sanitize the buffer */
memset((volatile char *)secret, '\0', secret_size);

free(secret);
secret = temp_buff; /* install the resized buffer */
temp_buff = NULL;

...

Wiki Markup
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 226|http://cwe.mitre.org/data/definitions/226.html], "Sensitive Information Uncleared Before Release," [CWE ID 244|http://cwe.mitre.org/data/definitions/244.html], and "Failure to Clear Heap Memory Before Release"
\[[NISTBlack 06b07|AA. C References#NISTReferences#Black 06b07]\]

...

      08. Memory Management (MEM)      MEM04-C. Do not perform zero length allocations