...
In this compliant solution, the while
loop in the GetMachineName()
function is bounded so that the loop terminates when a backslash character is found, the null-termination character (L'\0'
) is discovered, or the end of the buffer is reached. Or, as coded, the while loop continues as long as each character is neither a backslash nor a null character and is not at the end of the buffer. This code does not result in a buffer overflow even if no backslash character is found in wszMachineName
.
Code Block | ||||
---|---|---|---|---|
| ||||
HRESULT GetMachineName( wchar_t *pwszPath, wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1]) { wchar_t *pwszServerName = wszMachineName; wchar_t *pwszTemp = pwszPath + 2; wchar_t *end_addr = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN; while ( (*pwszTemp != L'\\') && && ((*pwszTemp != L'\0')) && && (pwszServerName < end_addr) ) { *pwszServerName++ = *pwszTemp++; } /* ... */ } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h>
struct S {
size_t len;
char buf[]; /* Flexible array member */
};
const char *find(const struct S *s, int c) {
const char *first = s->buf;
const char *last = s->buf + s->len;
while (first++ != last) { /* Undefined behavior */
if (*first == (unsigned char)c) {
return first;
}
}
return NULL;
}
void g(void) {
struct S *s = (struct S *)malloc(sizeof(struct S));
if (s == NULL) {
/* Handle error */
}
s->len = 0;
find(s, 'a');
} |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> struct S { size_t len; char buf[]; /* Flexible array member */ }; const char *find(const struct S *s, int c) { const char *first = s->buf; const char *last = s->buf + s->len; while (first != last) { /* Avoid incrementing here */ if (*++first == (unsigned char)c) { return first; } } return NULL; } void g(void) { struct S *s = (struct S *)malloc(sizeof(struct S)); if (s == NULL) { /* Handle error */ } s->len = 0; find(s, 'a'); } |
...
Tool | Version | Checker | Description | |||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Astrée |
| pointeredarray-index- | deallocationrange | Partially checked Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence. This rule is only partially checked as invalid but unused pointers may not be reported. | ||||||||||||||||||||||||||||
Axivion Bauhaus Suite |
| CertC-ARR30 | Can detect out-of-bound access to array / buffer | |||||||||||||||||||||||||||||
CodeSonar | CodeSonar | |||||||||||||||||||||||||||||||
Include Page |
|
| LANG.MEM.BO | Buffer overrun | ||||||||||||||||||||||||||||
Compass/ROSE | Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | |||||||||||||||||||||||||||||||
| OVERRUN NEGATIVE_RETURNS ARRAY_VS_SINGLETON BUFFER_SIZE | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically Can detect buffer overflows | ||||||||||||||||||||||||||||||
KlocworkCppcheck |
| Klocwork
| Klocwork
| ABV.ANY_SIZE_ARRAY | LDRA tool suite | |||||||||||||||||||||||||||
Include Page | LDRA_V | LDRA_V | 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | Parasoft C/C++test | |||||||||||||||||||||||||||
Include Page | Parasoft_V | Parasoft_V | BD-PB-ARRAY | Partially implemented | ||||||||||||||||||||||||||||
Polyspace Bug Finder | R2016a | Array index outside bounds during array access Array index from unsecure source possibly outside array bounds Pointer dereferenced outside its bounds Offset is from an unsecure source and dereference may be out of bounds Pointer from an unsecure source may be NULL or point to unknown memory | ||||||||||||||||||||||||||||||
arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | |||||||||||||||||||||||||||||||
Cppcheck Premium |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds premium-cert-arr30-c | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | |||||||||||||||||||||||||||||
Helix QAC |
| C2840 DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953 | ||||||||||||||||||||||||||||||
Klocwork |
| ABV.GENERAL | ||||||||||||||||||||||||||||||
LDRA tool suite |
| 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | |||||||||||||||||||||||||||||
Parasoft C/C++test |
| CERT_C-ARR30-a | Avoid accessing arrays out of bounds | |||||||||||||||||||||||||||||
Parasoft Insure++ | Runtime analysis | |||||||||||||||||||||||||||||||
PC-lint Plus |
| 413, 415, 416, 613, 661, 662, 676 | Fully supported | |||||||||||||||||||||||||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | ||||||||||||||||||||||||||||||
PVS-Studio |
| PRQA QA-C | ||||||||||||||||||||||||||||||
Include Page | PRQA QA-C_v | PRQA QA-C_v | 2840, 2841, 2842, 2843, 2844, 2930, 2931, 2932, 2933, 2934, 2950, | Partially implemented | PRQA QA-C++ | |||||||||||||||||||||||||||
Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 2820, 2821, 2822, 2823, 2824, 2840, 2841, 2842, 2843, 2844, 2930, | Partially implemented | Cppcheck | |||||||||||||||||||||||||||
Include Page | Cppcheck_V | Cppcheck_V | arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | PVS-Studio | 6.22V512, V557, V582, V594, V643, V645, V694 | General analysis rule set, V1086 | |||||||||||||||||||||||||
RuleChecker |
| array-index-range-constant return-reference-local | Partially checked | |||||||||||||||||||||||||||||
TrustInSoft Analyzer |
| index_in_address | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
...
Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-119 = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, ARR38-C) = Ø
...
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-125 = Subset( CWE-119) = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, CWE-125) =
...
Independent(ARR30-C, ARR38-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
...