SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 59

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 60

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Because length is user controlled, the value can result in a large block of memory being allocated or can cause the call to malloc() to fail. Depending on how error handling is implemented, this may result in a denial of service or other error. A length of zero results in a division by zero in the overflow check, which can also result in a denial of service. (see See guideline INT33-C. Ensure that division and modulo operations do not result in divide-by-zero errors.).

Compliant Solution

Wiki Markup
This compliant solution defines the acceptable range for {{length}} as {{\[1, MAX_TABLE_LENGTH\]}}. The {{length}} parameter is declared as {{size_t}}, which is unsigned by definition. Consequently, it is not necessary to check {{length}} for negative values. (seeSee guideline [INT01-C. Use rsize_t or size_t for all integer values representing the size of an object].).

Code Block
bgColor#ccccff
enum { MAX_TABLE_LENGTH = 256 };

int create_table(size_t length) {
  size_t table_length;
  char **table;

  if (length == 0 || length > MAX_TABLE_LENGTH) {
    /* Handle invalid length */
    return -1; 
 }

  /*
   * The wrap check has been omitted based on the assumption 
   * that MAX_TABLE_LENGTH * sizeof(char *) cannot exceed 
   * SIZE_MAX. If this assumption is not valid, a check must 
   * be added.
   */
  assert(length <= SIZE_MAX/sizeof(char *));

  table_length = length * sizeof(char *);
  table = (char **)malloc(table_length);

  if (table == NULL) {
    /* Handle error condition */
    return -1;
  }
  /* ... */
  return 0;
}

The test for length == 0 ensures that a nonzero number of bytes is allocated. (see See guideline MEM04-C. Do not perform zero length allocations.).

Risk Assessment

Failing to enforce the limits on integer values can result in a denial-of-service attack.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

Related Guidelines

This rule appears in the C++ Secure Coding Standard as : INT04-CPP. Enforce limits on integer values originating from untrusted sources.

Bibliography

Wiki Markup
\[[Seacord 05a2005a|AA. Bibliography#Seacord 05]\] Chapter 5, "Integer Security"

...