All integer values originating from untrusted sources should be evaluated to determine whether if there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Restricting the input of excessively large or small integers helps prevent overflow, truncation, and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.
Non-Compliant Code
...
Example
In the following non-compliant code example, size length is a user supplied argument that is used to determine the size length of table.
| Code Block | ||
|---|---|---|
| ||
int create_table(size_t sizelength) { char **table; if (sizeof(char *) > SIZE_MAX/sizelength) { /* handle overflow */ } size_t table_sizelength = sizelength * sizeof(char *); table = (char **)malloc(table_sizelength) if (table == NULL) { /* Handle error condition */ } /* ... */ return 0; } |
Because size length is user-controlled by , the user, it could be specified to be either large enough to consume large amounts of system resources and still succeed or large enough to value could result in a large block of memory being allocated or cause the call to malloc() to fail, which, depending . Depending on how error handling is implemented, this may result in a denial of service condition. It may also be zero, causing or other error. A length of zero results in a division by zero in the overflow check, which can also resulting result in a denial of service.
Compliant Solution
| Wiki Markup |
|---|
This compliant solution defines the acceptable range for {{sizelength}} as {{\[1, MAX_TABLE_SIZELENGTH\]}}. The {{sizelength}} parameter is declared as {{size_t}}, which is unsigned by definition. Consequently, it is not necessary to check {{sizelength}} for negative values (see [INT01-A. Use rsize_t or size_t for all integer values representing the sizelength of an object]). |
| Code Block | ||
|---|---|---|
| ||
enum { MAX_TABLE_SIZELENGTH = 256 };
int create_table(size_t sizelength) {
size_t table_sizelength;
char **table;
if (sizelength == 0 || sizelength > MAX_TABLE_SIZELENGTH) {
/* Handle invalid sizelength */
}
/*
* The wrap check has been omitted based on the assumption that
* MAX_TABLE_SIZELENGTH * sizeof(char *) cannot exceed SIZE_MAX
* If this assumption is not valid, a check must be added
*/
assert(sizelength <= SIZE_MAX/sizeof(char *));
table_sizelength = sizelength * sizeof(char *);
table = (char **)malloc(table_sizelength);
if (table == NULL) {
/* Handle error condition */
}
/* ... */
return 0;
}
|
The test for length == 0 ensures that a non-zero number of bytes is allocated (see MEM04-A. Do not perform zero length allocations).
Risk Assessment
Failing to enforce the limits on integer values can result in a denial of service condition.
...