SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 13

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version 14

changes.mady.by.user Justin Pincar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Edited by NavBot (jp)

Wiki Markup
The C+\+ Standard [ISO/IEC 14882-2003|AA. C++ References#ISO/IEC 14882-2003] ""One definition rule"" (Section 3.2) says: ""No translation unit shall contain more than one definition of any variable, function, class type, enumeration type or template.""  Moreover, paragraph 3 says: ""Every program shall contain exactly one definition of every non-inline function or object that is used in that program; no diagnostic required.""  Although it is possible to check that the ODR is complied with (see \[[Quinlan 06|AA. C++ References#Quinlan 06]\]), as of October 2006 we are not aware of any compilers that enforce the rule or even issue a diagnostic.  As the paper by Quinlan et al. shows, failing to enforce the ODR enables a virtual function pointer attack, known as the VPTR [exploit|BB. Definitions#exploit].  This is where an object's virtual function table is corrupted so that calling a virtual function on the object results in malicious code being executed.  See the paper by Quinlan et al. for more details.

...

Code Block
bgColor#FFcccc
# include ""Base.h""

class Derived: public Base {
public:
    Derived () {buf_[0] = 'a';}
    void run () {buf_[0] = 'z';}
    char buf_[1];
};

void runModule () {
    Derived a, b;
    Base *pa = &a, *pb = &b;
    pb->run>run ();  // Expect b.buf_[0] == 'z'
    pa->run>run ();  // Expect a.buf_[0] == 'z'
}

...

Code Block
bgColor#FFcccc
# include ""Base.h""

class Attacker: public Base {
public: void run () {
        // vtable is overwritten
        // do malicious things here
        // ...
    }
}

class Derived: public Base {  // Class violating ODR
public:
    void run () {
        buf_[0] = 'z';  // Looks normal, but ...
        Attacker x;  // Instantiate to get a vtable to inject
        *((unsigned *)(buf_ + 12)) = *((const unsigned *)(&x));
    }
    char buf_[16];  // Buffer used to overwrite vtable
};

Derived d;  // Instantiate to get malicious Derived

...

Wiki Markup
\[[ISO/IEC 14882-2003|AA. C++ References#ISO/IEC 14882-2003]\] Section 3.2, ""One definition rule""

Wiki Markup
\[[Quinlan 06|AA. C++ References#Quinlan 06]\]

...

MSC04-A. Use comments consistently and in a readable fashion      49. Miscellaneous (MSC)      12. Vectors (VEC)