...
- Correct usage of expression E // for E: T* = mem_alloc(n)
Noncompliant Code Example
This noncompliant code example assigns a value greater than the size of dynamic memory to 'n' which is then passed to the memset().
| Code Block | ||
|---|---|---|
| ||
void f1 (size_t nchars) {
char *p = (char *)malloc(nchars);
const size_t n = nchars + 1;
memset(p, 0, n);
/* More program code */
}
|
Compliant Solution
This compliant solution makes sure that the value of 'n' is not greater the size of the dynamic memory pointed to by the pointer 'p':
| Code Block | ||
|---|---|---|
| ||
void f1 (size_t nchars, size_t val) {
char *p = (char *)malloc(nchars);
const size_t n = val;
if (nchars - n < 0) {
    /* Handle Error */
}
else {
memset(p, 0, n);
}
/* More program code */
}
|
Noncompliant Code Example
In noncompliant code example the effective type of *p is float while the derived type of the expression 'n' is int.
...
Note: A possibility of this code being safe would be on architectures where sizeof (int) is equal to sizeof (float).
Compliant Solution
The derived type of 'n' in this solution is also float.
| Code Block | ||
|---|---|---|
| ||
void f2() {
float a[4];
const size_t n= sizeof(float) * 4;
void *p = a;
memset(p, 0, n);
/* More program code */
}
|
Risk Assessment
Depending on the library function called, the attacker may be able to use a heap overflow vulnerability to run arbitrary code. The detection of checks specified in description can be automated but the remediation has to be manual.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
ARR38-C | high | likely | medium | P18 | L1 |
Related Guidelines
Bibliography
WG14 Document: N1579 - Rule 5.34 Forming Invalid pointers by library functions.