...
This noncompliant code example may result in an unsigned integer wrap during the addition of the unsigned operands ui_a and ui_b. If this behavior is unexpected, the resulting value may be used to allocate insufficient memory for a subsequent operation or in some other manner that can lead to an exploitable vulnerability.
| Code Block | ||||
|---|---|---|---|---|
| ||||
unsigned int ui_a;
unsigned int ui_b;
unsigned int usum;
void func(void) {
/* Initialize ui_a and ui_b */
usum = ui_a + ui_b;
/* ... */
} |
...
- Operations on two compile-time constants
- Operations on a variable and 0 (except division by 0, of course)
- Subtracting any variable from its type's maximum; for instance, any
unsigned intmay safely be subtracted fromUINT_MAX - Multiplying any variable by 1
- Division, as long as the divisor is nonzero
- Right-shifting any type maximum by any number smaller than the type size; for instance,
UINT_MAX >> xis valid as long as0 <= x < 32(assuming that the size ofunsigned intis 32 bits) - Left-shifting 1 by any number smaller than the type size
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT30-C | highHigh | likelyLikely | highHigh | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
|
| Can detect violations of this rule by ensuring that operations are checked for overflow before being performed. Be mindful of exception INT30-EX2 because it excuses many operations from requiring validation, including all the operations that would validate a potentially dangerous operation. For instance, adding two | |||||||
| Coverity | 6.5 | INTEGER_OVERFLOW | Implemented | ||||||
5.0 |
| Can detect violations of this rule with the CERT C Rule Pack | |||||||
| PRQA QA-C |
| 2910 (C) | Partially implemented |
...