C library functions that make changes to arrays or objects take at least two arguments: a pointer to the array or object and an integer indicating the number of elements or bytes to be manipulated. If improper arguments are supplied to such a function, it might cause the function to form a pointer that does not point into or just past the end of the object, resulting in undefined behavior.
For the purposes of this rule, the element count of a pointer is the size of the object to which it points, expressed by the number of elements which that are valid to access.
In the following code,
...
the element count of the pointer p
is sizeof(arr) / sizeof(arr[0])
, that is, 5
. The element count of the pointer p2
, is sizeof(arr)
, that is, 20
, on platforms where sizeof(int) == 4
. The element count of the pointer p3
is 12
on platforms where sizeof(int) == 4
, because p3
points two elements past the start of the array arr
. The element count of p4
is treated as though it were unsigned char *
instead of void *
, and so it is the same as p2
.
Standard Library Functions
...
1 Takes two pointers and an integer, but the integer only specifies the element count of count only of the output buffer. , not of the input buffer.
2 Takes two pointers and an integer, but the integer only specifies the element count of count only of the input buffer, not of the output buffer.
3 Takes two pointers and two integers; each integer corresponds to the element count of one of the pointers.
4 Takes a pointer and two size-related integers; the first size-related integer parameter specifies the number of bytes available in the buffer, ; the second size-related integer parameter specifies the number of bytes to write within the buffer.
...
In this noncompliant code example, the incorrect element count is used in a call to wmemcpy()
. The sizeof
operator returns the size expressed in bytes, but wmemcpy()
uses an element count based on wchar_t *
.
...
When using functions that operate on pointed-to regions, programmers must always express the integer size in terms of the element count expected by the function. For instance, memcpy()
expects the element count expressed in terms of void *
, but wmemcpy()
expects the element count expressed in terms of wchar_t *
. Instead of using the sizeof
operator, calls to return the number of elements in the string are used, which matches the expected element count for the copy functions.
...
For calls that take a pointer and an integer size, the given size should not be greater than the element count of the pointer. This compliant solution ensures that the value of n
is not greater than the number of bytes of the dynamic memory pointed to by the pointer p
:
...
In this noncompliant code example, the element count of the array a
is ARR_SIZE
elements. Because memset()
expects a byte count, the size of the array is scaled incorrectly by sizeof(int)
instead of sizeof(float)
, which can form an invalid pointer on architectures where sizeof(int) != sizeof(float)
.
...
In this compliant solution, the element count required by memset()
is properly calculated without resorting to scaling.:
Code Block | ||
---|---|---|
| ||
#include <string.h> void f2() { const size_t ARR_SIZE = 4; float a[ARR_SIZE]; const size_t n = sizeof(a); void *p = a; memset(p, 0, n); } |
...
Compliant Solution (Two Pointers + One Integer)
For calls that take a two pointers and an integer size, the given size should not be greater than the element count of either pointer. This compliant solution ensures that n
is equal to the size of the character array:
...
This noncompliant code example allocates a variable number of objects of type struct obj
. The function checks that numObjs
is small enough to prevent wrapping, in compliance with INT30-C. Ensure that unsigned integer operations do not wrap. The size of struct obj
is assumed to be eight 8 bytes to account for padding. However, the padding is dependent on the target architecture as well as compiler settings, so this object size may be incorrect. This would then yield an incorrect element count.
...
For calls that take a pointer and two integers, one integer represents the number of bytes required for an individual object, and a second integer represents the number of elements in the array. The resulting product of the two integers should not be greater than the element count of the pointer were it expressed as an unsigned char *
. This compliant solution uses the sizeof
operator to correctly provide the object size , and numObjs
to provide the element count.
...
Depending on the library function called, an attacker may be able to use a heap or stack overflow vulnerability to run arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR38-C | highHigh | likelyLikely | mediumMedium | P18 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
PRQA QA-C |
| 2931 | Fully implemented |
...