SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 14

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 15

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Potentially exploitable undefined behavior can result from any of the following:

  • Using pointer arithmetic so that the result does not point into or just past the end of the same object

...

  • Using such pointers in arithmetic expressions

...

  • Dereferencing pointers that do not point to a valid object in memory

...

  • Using an array subscript so that the resulting reference does not refer to an element in the array

...

Wiki Markup
The C99 standard \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] identifies four distinct situations in which undefined behavior (UB) maycan arise as a result of invalid pointer operations:

UB

Description

Example Code

43

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Out Of Bounds Pointer

44

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The End Pointer, #Using Past The End Index

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="83b20339243241a4-319e4f57-47c34d08-95c6a9fd-df5301a5dcfc3e61d8b2b08b"><ac:plain-text-body><![CDATA[

[46

CC. Undefined Behavior#ub_46]

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

[#Apparently Accessible Out Of Range Index]

]]></ac:plain-text-body></ac:structured-macro>

59

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By Library Function

...

In the following noncompliant code example the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined 43. On some implementations, the addition alone may can trigger a hardware trap. On other implementations, using the result of the addition or dereferencing it may can also trigger a hardware trap.

...

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119: , "Failure to Constrain Operations within the Bounds of a Memory Buffer" and CWE-121: , "Stack-based Buffer Overflow]."

Code Block
bgColor#ffcccc
error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while ( *pwszTemp != L'\\' )
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

...

In the following compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null termination character (L'\0' is discovered, or when the end of the buffer is reached. This code does not result in a buffer overflow, even if no backslash character is found in wszMachineName.

...

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-122: , "Heap-based Buffer Overflow, " and CWE-129: , "Improper Validation of Array Index."

Code Block
bgColor#ffcccc
static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int*)realloc(table, sizeof *table * size);
    if (NULL == tmp)
      return -1;

    table = tmp;
  }

  table[pos] = value;
  return 0;
}

...

Wiki Markup
The following noncompliant code example declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop, the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range, and the access has undefined behavior [46|CC. Undefined Behavior#ub_46].

...

In the following noncompliant code example, the function f() calls fread() to read nitems of type wchar_t, each size bytes in size, into an array of BUFSIZ elements, wbuf. However, the expression used to compute the value of nitems fails to account for the fact that, unlike the size of char, the size of wchar_t may be greater than 1. Thus, fread() may could attempt to form pointers past the end of wbuf and use them to assign values to non-existing elements of the array. Such an attempt results in undefined behavior 103. A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121: , "Access of Memory Location After End of Buffer, " and CWE-805: , "Buffer Access with Incorrect Length Value."

Code Block
bgColor#ffcccc
void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

...

TO DO.

Bibliography

...

\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators" \[[

ISO/IEC PDTR 24772|AA. Bibliography#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning TR 24772 "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"

MITRE CWE: CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer"

MITRE CWE: CWE-121, "Stack-based Buffer Overflow"

MITRE CWE: CWE-122, "Heap-based Buffer Overflow"

MITRE CWE: CWE-129, "Unchecked Array Indexing"

MITRE CWE: CWE-788, "Access of Memory Location After End of Buffer"

MITRE CWE: CWE-805, "Buffer Access with Incorrect Length Value"

Bibliography

Wiki Markup

\[[CWE|AA. Bibliography#CWE]\] [CWE-119|http://cwe.mitre.org/data/definitions/119.html]: Failure to Constrain Operations within the Bounds of a Memory Buffer
\[[CWE|AA. Bibliography#CWE]\] [CWE-121|http://cwe.mitre.org/data/definitions/121.html]: Stack-based Buffer Overflow
\[[CWE|AA. Bibliography#CWE]\] [CWE-122|http://cwe.mitre.org/data/definitions/122.html]: Heap-based Buffer Overflow
\[[CWE|AA. Bibliography#CWE]\] [CWE-129|http://cwe.mitre.org/data/definitions/129.html]: Unchecked Array Indexing
\[[CWE|AA. Bibliography#CWE]\] [CWE-788|http://cwe.mitre.org/data/definitions/788.html]: Access of Memory Location After End of Buffer
\[[CWE|AA. Bibliography#CWE]\] [CWE-805|http://cwe.mitre.org/data/definitions/805.html]: Buffer Access with Incorrect Length Value
\[[Finlay 2003|AA. Bibliography#Finlay 03]\]
\[[Microsoft 2003|AA. Bibliography#Microsoft 03]\]
\[[Pethia 2003|AA. Bibliography#Pethia 03]\]
\[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 1, "Running with Scissors"
\[[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.13, "Unchecked array indexing"
\[[xorl 2009|AA. Bibliography#xorl 2009] \] ["CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]

...