The C Standard identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:
UB | Description | Example Code |
---|---|---|
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object. | ||
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary | Dereferencing Past the End Pointer, Using Past the End Index | |
An array subscript is out of range, even if an object is apparently accessible with the given subscript, for example, in the lvalue expression | ||
An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array. |
Anchor | ||||
---|---|---|---|---|
|
...
In this compliant solution, the while
loop in the GetMachineName()
function is bounded so that the loop terminates when a backslash character is found, the null-termination character (L'\0'
) is discovered, or the end of the buffer is reached. Or, as coded, the while loop continues as long as each character is neither a backslash nor a null character and is not at the end of the buffer. This code does not result in a buffer overflow even if no backslash character is found in wszMachineName
.
Code Block | ||||
---|---|---|---|---|
| ||||
HRESULT GetMachineName( wchar_t *pwszPath, wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1]) { wchar_t *pwszServerName = wszMachineName; wchar_t *pwszTemp = pwszPath + 2; wchar_t *end_addr = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN; while ( (*pwszTemp != L'\\') && && ((*pwszTemp != L'\0')) && && (pwszServerName < end_addr) ) { *pwszServerName++ = *pwszTemp++; } /* ... */ } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h>
struct S {
size_t len;
char buf[]; /* Flexible array member */
};
const char *find(const struct S *s, int c) {
const char *first = s->buf;
const char *last = s->buf + s->len;
while (first++ != last) { /* Undefined behavior */
if (*first == (unsigned char)c) {
return first;
}
}
return NULL;
}
void g(void) {
struct S *s = (struct S *)malloc(sizeof(struct S));
if (s == NULL) {
/* Handle error */
}
s->len = 0;
find(s, 'a');
} |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h>
struct S {
size_t len;
char buf[]; /* Flexible array member */
};
const char *find(const struct S *s, int c) {
const char *first = s->buf;
const char *last = s->buf + s->len;
while (first != last) { /* Avoid incrementing here */
if (*++first == (unsigned char)c) {
return first;
}
}
return NULL;
}
void g(void) {
struct S *s = (struct S *)malloc(sizeof(struct S));
if (s == NULL) {
/* Handle error */
}
s->len = 0;
find(s, 'a');
} |
...
Writing to out-of-range pointers or array subscripts can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process. Reading from out-of-range pointers or array subscripts can result in unintended information disclosure.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR30-C | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||
---|---|---|---|---|---|---|---|
Astrée |
|
array-index- |
range | Partially checked Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence. This rule is only partially checked as invalid but unused pointers may not be reported. | ||||||||
Axivion Bauhaus Suite |
| CertC-ARR30 | Can detect out-of-bound access to array / buffer | ||||||
CodeSonar |
| LANG.MEM.BO |
PARITH |
PBB | Buffer overrun |
Compass/ROSE |
Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | |||||||||
| OVERRUN NEGATIVE_RETURNS ARRAY_VS_SINGLETON BUFFER_SIZE | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically Can detect buffer overflows |
Cppcheck |
|
|
|
ABV.ANY_SIZE_ARRAY
ABV.GENERAL
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED
SV.STRBO.BOUND_COPY.OVERFLOW
SV.STRBO.BOUND_COPY.UNTERM
SV.STRBO.BOUND_SPRINTF
SV.TAINTED.ALLOC_SIZE
SV.TAINTED.CALL.INDEX_ACCESS
SV.TAINTED.CALL.LOOP_BOUND
SV.TAINTED.INDEX_ACCESS
SV.TAINTED.LOOP_BOUND
SV.UNBOUND_STRING_INPUT.CIN
SV.UNBOUND_STRING_INPUT.FUNC
arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||||
Cppcheck Premium |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds premium-cert-arr30-c | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||
Helix QAC |
| C2840 DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953 | |||||||
Klocwork |
| ABV.GENERAL | |||||||
LDRA tool suite |
| 45 D, 47 S, 476 S, 489 |
Array index outside bounds during array access
Array index from unsecure source possibly outside array bounds
Pointer dereferenced outside its bounds
Offset is from an unsecure source and dereference may be out of bounds
Pointer from an unsecure source may be NULL or point to unknown memory
2840, 2841, 2842, 2843, 2844, 2930, 2931, 2932, 2933, 2934, 2950,
2951, 2952, 2953
2820, 2821, 2822, 2823, 2824, 2840, 2841, 2842, 2843, 2844, 2930,
2931, 2932, 2950, 2951, 2952
Context sensitive analysis of array index, pointers, etc.
Array index out of bounds
Buffer overflow when calling various functions memset,strcpy,..
Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead
Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC TR 24772:2013 | Arithmetic Wrap-Around Error [FIF] Unchecked Array Indexing [XYZ] |
ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] |
MITRE CWE | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer |
MISRA C:2012 | Rule 18.1 (required) |
Bibliography
S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | ||||||||
Parasoft C/C++test |
| CERT_C-ARR30-a | Avoid accessing arrays out of bounds | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 413, 415, 416, 613, 661, 662, 676 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | |||||||
PVS-Studio |
| V512, V557, V582, V594, V643, V645, V694, V1086 | |||||||
RuleChecker |
| array-index-range-constant return-reference-local | Partially checked | ||||||
TrustInSoft Analyzer |
| index_in_address | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TR 24772:2013 | Arithmetic Wrap-Around Error [FIF] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Rule subset of CWE |
CWE 2.11 | CWE-123, Write-what-where Condition | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
MISRA C:2012 | Rule 18.1 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-119 and ARR30-C
Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-119 = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, ARR38-C) = Ø
CWE-394 and ARR30-C
Intersection( ARR30-C, CWE-394) = Ø
CWE-394 deals with potentially-invalid function return values. Which may be used as an (invalid) array index, but validating the return value is a separate operation.
CWE-125 and ARR30-C
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-125 = Subset( CWE-119) = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, CWE-125) =
- Reading from an out-of-bounds array index, or off the end of an array
ARR30-C – CWE-125 =
- Writing to an out-of-bounds array index, or off the end of an array
CWE-125 – ARR30-C =
- Reading beyond a non-array buffer
- Using a library function to achieve an out-of-bounds read.
CWE-123 and ARR30-C
Independent(ARR30-C, ARR38-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
Intersection( CWE-123, ARR30-C) =
- Write of arbitrary value to arbitrary (probably invalid) array index
ARR30-C – CWE-123 =
- Read of value from arbitrary (probably invalid) array index
- Construction of invalid index (pointer arithmetic)
CWE-123 – ARR30-C =
- Arbitrary writes that do not involve directly constructing an invalid array index
CWE-129 and ARR30-C
Independent( ARR30-C, ARR32-C, INT31-C, INT32-C)
ARR30-C = Union( CWE-129, list), where list =
- Dereferencing an out-of-bounds array index, where index is a trusted value
- Forming an out-of-bounds array index, without dereferencing it, whether or not index is a trusted value. (This excludes the array’s TOOFAR index, which is one past the final element; this behavior is well-defined in C11.)
CWE-120 and ARR30-C
See CWE-120 and MEM35-C
CWE-122 and ARR30-C
Intersection( ARR30-C, CWE-122) = Ø
CWE-122 specifically addresses buffer overflows on the heap operations, which occur in the context of string-copying. ARR30 specifically addresses improper creation or references of array indices. Which might happen as part of a heap buffer overflow, but is on a lower programming level.
CWE-20 and ARR30-C
See CWE-20 and ERR34-C
CWE-687 and ARR30-C
Intersection( CWE-687, ARR30-C) = Ø
ARR30-C is about invalid array indices which are created through pointer arithmetic, and dereferenced through an operator (* or []). Neither involve function calls, thus CWE-687 does not apply.
CWE-786 and ARR30-C
ARR30-C = Union( CWE-786, list) where list =
- Access of memory location after end of buffer
- Construction of invalid arry reference (pointer). This does not include an out-of-bounds array index (an integer).
CWE-789 and ARR30-C
Intersection( CWE-789, ARR30-C) = Ø
CWE-789 is about allocating memory, not array subscripting
Bibliography
[Finlay 2003] | |
[Microsoft 2003] | |
[Pethia 2003] |
[Seacord 2013b] | Chapter 1, "Running with Scissors" |
[Viega 2005] | Section 5.2.13, "Unchecked Array Indexing" |
[xorl 2009 ] | "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation" |
...
...