SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 119

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 120

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Wiki Markup
According to Sun's Secure Coding Guidelines document \[[SCG 2007|AA. Java References#SCG 07]\]:

The (Java) language is type-safe, and the runtime provides automatic memory management and range-checking on arrays. These features also make Java programs immune to the stack-smashing and buffer overflow attacks possible in the C and C++ programming languages, and that have been described as the single most pernicious problem in computer security today.

...

Wiki Markup
According to the Java Language Specification \[[JLS 2005|AA. Java References#JLS 05]\], section 4.2.2 Integer Operations:

The built-in integer operators do not indicate overflow or underflow in any way. Integer operators can throw a NullPointerException if unboxing conversion of a null reference is required. Other than that, the only integer operators that can throw an exception are the integer divide operator / and the integer remainder operator %, which throw an ArithmeticException if the right-hand operand is zero, and the increment and decrement operators ++ and -- which can throw an OutOfMemoryError if boxing conversion is required and there is not sufficient memory available to perform the conversion.

...

Wiki Markup
Failing to account for integer overflow has resulted in failures in real systems, for instance, when implementing the {{compareTo()}} method. The {{compareTo()}} method does not care about the magnitude of the operands but only about the sign. Consequently, an optimization is to simply subtract the operands and return the result. For nonpositive operands, this can result in integer overflow and violation of the {{compareTo()}} contract. \[[Bloch 2008, item 12|AA. Java References#Bloch 08]\].

Addition

Addition (as with all arithmetic operations) in Java is performed on signed numbers only as unsigned numbers are unsupported. One exception is the unsigned char type. Performing arithmetic operations that use operands of type char is strongly discouraged.

...

  • The sign of the remainder is always the same as that of the dividend. For example, -3 % -2 results in the value -1. This behavior can sometimes be deceptive.

Refer to guideline INT02-J. Do not assume a positive remainder when using the remainder operator for more details.

...

  • The right shift is an arithmetic shift.
  • The types boolean, float and double cannot use the bit shifting operators.

...

  • Wiki Markup
    When the value to be shifted (left-operand) is of type {{long}}, only the last 6 bits of the right-hand operand are used to perform the shift. The shift distance is the value of the right-hand operand masked by 63 (0x3D) \[[JLS 2003|AA. Java References#JLS 03]\]. (That is to say, i.e., it the shift value is always between 0 and 63. (If the shift value is greater than 64, then the shift is {{value % 64}}.)

Refer to guideline INT05-J. Use shift operators correctly for further details about the behavior of the shift operators.

...

Wiki Markup
This noncompliant code example attempts to shift the value {{i}} of type {{int}} until, after 32 iterations, the value becomes 0. Unfortunately, this loop never terminates because an attempt to shift a value of type {{int}} by 32 bits results in the original value rather than the value 0. \[[Bloch 2005|AA. Java References#Bloch 05]\].

Code Block
bgColor#FFcccc
int i = 0;
while ((-1 << i) != 0)
  i++;

...

Code Block
bgColor#ccccff
for (int val = -1; val != 0; val <<= 1) { /* ... */ }

Noncompliant Code Example (Concurrent

...

Code)

This noncompliant code example uses an AtomicInteger which is part of the concurrency utilities. The concurrency utilities do not enforce checks for integer overflow.

...

Consequently, itemsInInventory may wrap around to Integer.MIN_VALUE after the increment operation.

Noncompliant Code Example (Concurrent

...

Code—TOCTOU Condition in Check)

This noncompliant code example install a check for integer overflow, ; however, there is a time-of-check-time-of-use vulnerability between the check and the increment operation.

...

Wiki Markup
The {{compareAndSet()}} method takes two arguments, the expected value of a variable when the method is invoked and the updated value. This compliant solution uses this method to atomically set the value of {{itemsInInventory}} to the updated value if and only if the current value equals the expected value \[[API 2006|AA. Java References#API 06]\]. The while loop ensures that the {{removeItem()}} method succeeds in decrementing the most recent value of {{itemsInInventory}} as long as the inventory count is greater than {{MIN_INVENTORY}}. Refer to guideline [VNA02-J. Ensure that compound operations on shared variables are atomic] for more details.

Exceptions

INT00-EX1: Depending on the functionality, integer overflow may be benign. For instance, the Object.hashcode() method may return all representable values of type int.

...

Failure to perform explicit range checking can lead to integer overflows causing unexpected program control flow or unanticipated program behavior.

Rule Guideline

Severity

Likelihood

Remediation Cost

Priority

Level

INT00-J

medium

unlikely

medium

P4

L3

...