SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 124

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 125

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated the errno_t handlnig stuff

...

This noncompliant code example is derived from a real-world example taken from a vulnerable version of the libpng library as deployed on a popular ARM-based cell phone [Jack 2007]. The libpng   The  libpng library allows applications to read, create, and manipulate PNG (Portable Network Graphics) raster image files. The libpng library implements its own wrapper to malloc() that returns a null pointer on error or on being passed a 0 byte length argument.

Code Block
bgColor#FFCCCC
langc
errno_t f(void) { 
  png_charp chunkdata;
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  /* ... */

 
  return 0;
}

If a length field of −1 is supplied to the code in this noncompliant example, the addition wraps around to 0, and png_malloc() subsequently returns a null pointer, which is assigned to chunkdata. The chunkdata pointer is later used as a destination argument in a call to memcpy(), resulting in user-defined data overwriting memory starting at address 0. A write from or read to the memory address 0x0 will generally reference invalid or unused memory. In the case of the ARM and XScale architectures, the 0x0 address is mapped in memory and serves as the exception vector table.

Compliant Solution (POSIX)

This compliant solution ensures that the pointer returned by malloc() is not null. This practice ensures compliance with MEM32-C. Detect and handle memory allocation errors.

Code Block
bgColor#ccccff
langc
png_charp chunkdata;

errno_t f(void) { 
  png_charp chunkdata;
  chunkdata = (png_charp)png_malloc(png_ptr, length + 1);
  if (NULL == chunkdata) {
    return -1ENOMEM;  /* Indicate failure */
  }

  /* ... */
  return 0;
}

This compliant solution is categorized as a POSIX solution because it returns ENOMEM, which is defined by POSIX but not by the C Standard.

Noncompliant Code Example

...

Code Block
bgColor#FFCCCC
langc
int f(void) {
  size_t size = strlen(input_str)+1;
  str = (char *)malloc(size);
  memcpy(str, input_str, size);
  /* ... */
  free(str);
  str = NULL;

  return 0;
}

Compliant Solution

This compliant solution ensures the pointer returned by malloc() is not null. This solution also complies with MEM32-C. Detect and handle memory allocation errors.

...

The sk pointer is initialized to tun->sk before checking if tun is a null pointer.  Because null pointer dereferencing is undefined behavior, the compiler (GCC in this case) can optimize away the if (!tun) check because it is performed after tun->sk is dereferenced, implying that tun is non-null. As a result, this noncompliant code example is vulnerable to a null pointer dereference exploit.  Typically, a null pointer dereference results in access violation and abnormal program termination. However, it is possible to permit null pointer dereferencing on several operating systems, for example, using mmap(2) with the MAP_FIXED flag on Linux and Mac OS X or using shmat(2) with the SHM_RND flag on Linux [Liu 2009].

Compliant Solution

This compliant solution eliminates the null pointer deference by initializing sk to tun->sk following the null pointer check:

...