SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 140

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 141

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Integer overflow is undefined behavior. This means that implementations have a great deal of latitude in how they deal with signed integer overflow. An implementation that defines signed integer types as being modulo, for example, need not detect integer overflow. Implementations may also trap on signed arithmetic overflows, or simply assume that overflows will never happen and generate object code accordingly. (See guideline recommendation MSC15-C. Do not depend on undefined behavior.) For these reasons, it is important to ensure that operations on signed integers do no result in signed overflow. Of particular importance, however, are operations on signed integer values that originate from untrusted sources and are used in any of the following ways:

...

The following sections examine specific operations that are susceptible to integer overflow. When operating on small integer types (smaller than int), integer promotions are applied. The usual arithmetic conversions may also be applied to (implicitly) convert operands to equivalent types before arithmetic operations are performed. Make sure you understand integer conversion rules before trying to implement secure arithmetic operations. (See guideline recommendation INT02-C. Understand integer conversion rules.)

...

Addition is between two operands of arithmetic type or between a pointer to an object type and an integer type for rules about adding a pointer to an integer. (See guidelines rules ARR37-C. Do not add or subtract an integer to a pointer to a non-array object and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element.) Incrementing is equivalent to adding one.

...

This compliant solution works only on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies. (See guideline recommendation MSC14-C. Do not introduce unnecessary platform dependencies.) This solution can also be more expensive than a post-condition test, especially on RISC CPUs.

...

Subtraction is between two operands of arithmetic type, two pointers to qualified or unqualified versions of compatible object types, or between a pointer to an object type and an integer type. See guidelines rules ARR36-C. Do not subtract or compare two pointers that do not refer to the same array, ARR37-C. Do not add or subtract an integer to a pointer to a non-array object, and ARR38-C. Do not add or subtract an integer to a pointer if the resulting value does not refer to a valid array element for rules information about pointer subtraction. Decrementing is equivalent to subtracting one.

...

This compliant solution only works on architectures that use two's complement representation. While most modern platforms use two's complement representation, it is best not to introduce unnecessary platform dependencies. (See guideline recommendation MSC14-C. Do not introduce unnecessary platform dependencies.)

...

The compliant solution uses a static assertion to ensure that the overflow detection will succeed. See guideline recommendation DCL03-C. Use a static assertion to test the value of a constant expression for a discussion of static assertions.

...

Division is between two operands of arithmetic type. Overflow can occur during two's-complement signed integer division when the dividend is equal to the minimum (negative) value for the signed integer type and the divisor is equal to — 1. Division operations are also susceptible to divide-by-zero errors. (See guideline rule INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors.)

...

This solution is also compliant with guideline rule INT34-C. Do not shift a negative number of bits or more bits than exist in the operand.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: INT32-CPP. Ensure that operations on signed integers do not result in overflow

Java The CERT Oracle Secure Coding Standard for Java: INT00-J. Perform explicit range checking to ensure integer operations do not overflow

Bibliography

ISO/IEC 9899:1999 Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types <limits.h>"

ISO/IEC TR 24772 "XYY Wrap-around Error"

MITRE CWE: CWE-129, "Unchecked Array Indexing"

MITRE CWE: CWE-190, "Integer Overflow (Wrap or Wraparound)"

Bibliography

Wiki Markup
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)
Wiki Markup
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 6, "C Language Issues" (Arithmetic Boundary Conditions, pp. 211-223)
\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.5, "Expressions," and Section 7.10, "Sizes of integer types <limits.h>"
\[[ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYY Wrap-around Error"
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 129|http://cwe.mitre.org/data/definitions/129.html], "Unchecked Array Indexing" and [CWE ID 190|http://cwe.mitre.org/data/definitions/190.html], "Integer Overflow (Wrap or Wraparound)"
\[[Seacord 2005|AA. Bibliography#Seacord 05]\] Chapter 5, "Integers"
\[[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.7, "Integer overflow"
\[[VU#551436|AA. Bibliography#VU551436]\]
\[[Warren 2002|AA. Bibliography#Warren 02]\] Chapter 2, "Basics"

...