...
where the integer expression size
and the declaration of vla
are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 75 in Annex J of C11 [ISO/IEC 9899:2011].) In addition, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
...
In this noncompliant code example, a variable length array of size size
is declared. The size
is declared as size_t
in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
Code Block | ||||
---|---|---|---|---|
| ||||
void func(size_t size) { int vla[size]; /* ... */ } /* ... */ |
However, it is not guaranteed that the value of size
is a valid size argument, potentially giving rise to a security vulnerability.
Compliant Code Solution
This compliant solution ensures the size
argument used to allocate vla
is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation.
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
| REVERSE_NEGATIVE NEGATIVE_RETURNS | Can find the instances where data is read/write from a negative array index. | |||||||
PRQA QA·CQA-C |
| Partially implemented |
...
ISO/IEC TR 17961 (Draft) Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink]
ISO/IEC TR 24772 "XYX Boundary beginning violation" and "XYZ Unchecked array indexing"
Bibliography
...