Page History

...

In almost every case, an attempt to shift by a negative number of bits or by more than the precision of the operand indicates a bug (logic error). A logic error is different from overflow, in which there is simply a representational deficiency.  In general, shifts should only be performed on unsigned operands (see INT13-C. Use bitwise operators only on unsigned operands).

Noncompliant Code Example (Left Shift, Unsigned Type)

The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. The following diagram illustrates the left shift operation:

...

void func(unsigned int ui_a, unsigned int ui_b) {
  unsigned int uresult = ui_a << ui_b;
  /* ... */
}

Compliant Solution (Left Shift, Unsigned Type)

This compliant solution eliminates the possibility of shifting by more bits than exist in the left hand operand:

...

Modulo behavior resulting from left-shifting an unsigned integer type is permitted by exception INT30-EX3 to INT30-C. Ensure that unsigned integer operations do not wrap.

Noncompliant Code Example (Left Shift, Signed Type)

The result of E1 << E2 is E1 left-shifted E2 bit positions; vacated bits are filled with zeros. If E1 has a signed type and nonnegative value and E1 * 2E2 is representable in the result type, then that is the resulting value; otherwise, the behavior is undefined.

...

Shift operators and other bitwise operators should be used only with unsigned integer operands in accordance with INT13-C. Use bitwise operators only on unsigned operands.

Compliant Solution (Left Shift, Signed Type)

In addition to the check for overflow, this compliant solution ensures that both the left and right operands have nonnegative values and that the right operand is less than or equal to the precision of the promoted left operand:

...

When working with signed operands, making assumptions about whether a right shift is implemented as an arithmetic (signed) shift or a logical (unsigned) shift can also lead to vulnerabilities. See INT13-C. Use bitwise operators only on unsigned operands.

Compliant Solution (Right Shift)

This compliant solution eliminates the possibility of shifting by more bits than exist in the left hand operand:

...

where %eax stores the least significant bits in the doubleword to be shifted, and %edx stores the most significant bits.

Exceptions

INT34-EX1: The signed integer value zero can be shifted by the width and not the precision.  Assuming a 32-bit int, for example, the following expression is allowed:

...

INT34-EX2: Any positive integer value can be right shifted by the width of the promoted left hand operand.  For example, positive >> 31 is valid for implementations where int has a width of 32 bits, even if positive is a smaller type, such as char. However, any portable shift expression that takes advantage of the full width of a signed integer is guaranteed to have a result of zero, so it is not useful to shift beyond the precision.

Risk Assessment

Although shifting a negative number of bits or more bits than exist in the operand is undefined behavior in C, the risk is generally low because processors frequently reduce the shift amount modulo the width of the type.

Automated Detection

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Bibliography

...