Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Modern implementations of the C standard library should check for wrap. If the libraries used for a particular implementation properly handle unsigned integer wrapping on the multiplication, that is sufficient to comply with this recommendation.

Noncompliant Code Example

In this example, the user-defined function get_size() (not shown) is used to calculate the size requirements for a dynamic array of long int that is assigned to the variable num_elements. When calloc() is called to allocate the buffer, num_elements is multiplied by sizeof(long) to compute the overall size requirements. If the number of elements multiplied by the size cannot be represented as a size_t, then calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer overflow may occur.

Code Block
bgColor#FFCCCC
size_t num_elements;

/* initialize num_elements to the number of elements needed */

long *buffer = (long *)calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* handleHandle error condition */
}
/*...*/
free(buffer);
buffer = NULL; 

Compliant Solution

In this compliant solution, the the two arguments num_elements and sizeof(long) are checked before the call to calloc() to determine if wrapping will occur.

Code Block
bgColor#ccccff
long *buffer;
size_t num_elements;

/* initialize num_elements to the number of elements needed */

if (num_elements > SIZE_MAX/sizeof(long)) {
  /* handleHandle error condition */
}
buffer = (long *)calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* handleHandle error condition */
}

Note that the maximum amount of allocatable memory is typically limited to a value less than SIZE_MAX (the maximum value of size_t). Always check the return value from a call to any memory allocation function in compliance with MEM32-C. Detect and handle memory allocation errors.

Risk Assessment

Unsigned integer wrapping in memory allocation functions can lead to buffer overflows that can be exploited by an attacker to execute arbitrary code with the permissions of the vulnerable process. Most implementations of calloc() now check to make sure silent wrapping does not occur, but it is not always safe to assume the version of calloc() being used is secure, particularly when using dynamically linked libraries.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MEM07-C

high

unlikely

medium

P6

L2

Automated Detection

Compass/ROSE can detect violations of this recommendation.

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.18.3, "Limits of other integer types"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 190|http://cwe.mitre.org/data/definitions/190.html], "Integer Overflow (Wrap or Wraparound)," and [CWE ID 128|http://cwe.mitre.org/data/definitions/128.html], "Wrap-around Error"
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[RUS-CERT|AA. C References#RUS-CERT]\] Advisory 2002-08:02, "Flaw in calloc and similar routines"
\[[Secunia|AA. C References#Secunia]\] Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability"

...