...
| Code Block | ||||
|---|---|---|---|---|
| ||||
int * restrict a;
int * restrict b;
extern int c[];
int main(void) {
a = c[0] = 17;
b = c[1] = 18;
*a = *b; /* undefined behavior */
} |
Compliant Solution
One compliant solution is to simply way to eliminate the undefined behavior is simply to remove the restrict-qualification from the affected pointers.
...
| Code Block |
|---|
void *memcpy( void * restrict s1, const void * restrict s2, size_t n ); char *strcpy( char * restrict s1, const char * restrict s2 ); char *strncpy( char * restrict s1, const char * restrict s2, size_t n ); char *strcat( char * restrict s1, const char * restrict s2 ); char *strncat( char * restrict s1, const char * restrict s2, size_t n ); |
The Annex K Bounds-checking interfaces functions shown below also copy memory from a source object referenced by a restrict-qualified pointer to a destination object that is also referenced by a restrict-qualified pointer:
| Code Block |
|---|
errno_t memcpy_s( void * restrict s1, rsize_t s1max, const void * restrict s2, rsize_t n ); errno_t strcpy_s( char * restrict s1, rsize_t s1max, const char * restrict s2 ); errno_t strncpy_s( char * restrict s1, rsize_t s1max, const char * restrict s2, rsize_t n ); errno_t strcat_s( char * restrict s1, rsize_t s1max, const char * restrict s2 ); errno_t strncat_s( char * restrict s1, rsize_t s1max, const char * restrict s2, rsize_t n ); char *strtok_s( char * restrict s1, rsize_t * restrict s1max, const char * restrict s2, char ** restrict ptr ); |
...
Similar solutions using memmove() can replace the string functions as long as care is taken regarding the byte size of the characters and proper null-termination of the copied string.
Calling Functions with restrict-qualified Pointer
...
to a const-qualified Type
Ensure that functions define parameters that use the restrict qualificationthat accept a restrict-qualified pointer to a const-qualified type do not modify the object referenced by that pointer. Formatted input and output standard library functions frequently fit this descriptoin. The following is a list of the most commoncommon functions where the format argument is a restrict-qualified pointer to a const-qualified type:
| Code Block |
|---|
int printf( const char * restrict format, /* ... */ ); int scanf( const char * restrict format, /* ... */ ); int sprintf( char * restrict s, const char * restrict format, /* ... */ ); int snprintf( char * restrict s, size_t n, const char * restrict format, /* ... */ ); |
For formatted output functions such as printf(), it is unlikely that a programmer would modify the format string. However, an attacker may attempt this if a program violates FIO30-C. Exclude user input from format strings and passes tainted values as part of the format string.
Noncompliant Code Example
In this noncompliant code example, the programmer is attempting to overwrite the format string with a string value read in from stdin, and to use the modified string to input subsequent values:
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
/* ... */
char format[100] = "%s";
int i;
float x;
int n = scanf(format, format + 2, &i, &x); |
Compliant Solution
The same results can be achieved as shown in this compliant solutoin.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdio.h>
/* ... */
int i;
float x;
int n = fscanf(stdin, "%d%f", &i, &x); |
If any of the prece
Risk Assessment
Using functions such as memcpy(), strcpy(), strncpy(), sscanf(), sprintf(), snprintf(), mbstowcs(), and wcstombs() to copy overlapping objects results in undefined behavior that can be exploited to cause data integrity violations.
...