...
To avoid operating on unspecified values, the arithmetic value being cast must be within the range of values the enumeration can represent. When checking for out-of-range values dynamically, it must be performed prior to the cast expression.
Noncompliant Code Example (Bounds Checking)
This noncompliant code example attempts to check whether a given value is within the range of acceptable enumeration values. However, it is doing so after casting to the enumeration type, which may not be able to represent the given integer value. On a two's complement system, the valid range of values that can be represented by enum_type are: [0..3], so if a value outside of that range were passed to f(), the cast to enum_type would result in an unspecified value, and using that value within the if statement results in unspecified behavior.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum enum_type {
E_A,
E_B,
E_C
};
void f(int int_var) {
enum_type enum_var = static_cast<enum_type>(int_var);
if (enum_var < E_A || enum_var > E_C) {
// Handle error
}
} |
Compliant Solution (Bounds Checking)
This compliant solution checks that the value is within the range of acceptable enumeration values before the conversion to guarantee there is no unspecified result. It further restricts the converted value to one for which there is a specific enumerator value.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum enum_type {
E_A,
E_B,
E_C
};
void f(int int_var) {
if (int_var < E_A || int_var > E_C) {
// Handle error
}
enum_type enum_var = static_cast<enum_type>(int_var);
}
|
Compliant Solution (Scoped Enumeration)
This compliant solution uses a scoped enumeration, which has a fixed underlying type of type int by default, allowing any value from the parameter to be converted into a valid enumeration value. It does not further restrict the converted value to one for which there is a specific enumerator value, but could do so by using the previous compliant solution.
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum class enum_type {
E_A,
E_B,
E_C
};
void f(int int_var) {
enum_type enum_var = static_cast<enum_type>(int_var);
} |
Compliant Solution (Fixed Unscoped Enumeration)
Similar to the previous compliant solution, this compliant solution uses an unscoped enumeration, but provides a fixed underlying type of type int, allowing any value from the parameter to be converted into a valid enumeration value:
...
While similar to the previous compliant solution, the previous compliant solution differs from the noncompliant code example in the way the enumerator values are expressed in code and what implicit conversions are allowed. The previous compliant solution requires a nested name specifier to identify the enumerator (e.g., enum_type::E_A), and will not implicitly convert the enumerator value to int. As with the noncompliant code example, this compliant solution does not allow a nested name specifier and will implicitly convert the enumerator value to int.
Risk Assessment
Unexpected behavior can lead to a buffer overflow and the execution of arbitrary code by an attacker. This is most likely if the program in one case checks the value correctly and then fails to do so later. Such a situation could allow an attacker to avoid verification of a buffer's length, and so on.
...
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
INT30-CPP | Medium | Unlikely | Medium | P4 | L3 |
Automated Detection
Tool | Version | Checker | Description |
|---|---|---|---|
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Bibliography
| [ISO/IEC 14882-2014] | 7.2, "Enumeration Declarations" |
| [Becker 2009] | Section 7.2, "Enumeration declarations" |
...