...
UB | Description | Example Code |
|---|---|---|
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object. | ||
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary | Dereferencing Past the End Pointer, Using Past the End Index | |
An array subscript is out of range, even if an object is apparently accessible with the given subscript, for example, in the lvalue expression | ||
An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array. |
...
In this noncompliant code example, the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined behavior 4643. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced triggers a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.
...
This noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the GetMachineName() function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1 elements, the final valid iteration of the loop will dereference past the end pointer, resulting in exploitable undefined behavior 47 44. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].
...
In this compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null-termination character (L'\0') is discovered, or the end of the buffer is reached. Or, as coded, the while loop continues as long as each character is neither a backslash nor a null character and is not at the end of the buffer. This code does not result in a buffer overflow even if no backslash character is found in wszMachineName.
| Code Block | ||||
|---|---|---|---|---|
| ||||
HRESULT GetMachineName(
wchar_t *pwszPath,
wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
wchar_t *pwszServerName = wszMachineName;
wchar_t *pwszTemp = pwszPath + 2;
wchar_t *end_addr
= pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN;
while ( (*pwszTemp != L'\\') &&
&& ((*pwszTemp != L'\0')) &&
&& (pwszServerName < end_addr) )
{
*pwszServerName++ = *pwszTemp++;
}
/* ... */
}
|
...
This noncompliant code example declares matrix to consist of 7 rows and 5 columns in row-major order. The function init_matrix iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x. However, because multidimensional arrays are declared in C in row-major order, the function iterates over the elements in column-major order, and when the value of j reaches the value COLS during the first iteration of the outer loop, the function attempts to access element matrix[0][5]. Because the type of matrix is int[7][5], the j subscript is out of range, and the access has undefined behavior 49 46.
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stddef.h>
#define COLS 5
#define ROWS 7
static int matrix[ROWS][COLS];
void init_matrix(int x) {
for (size_t i = 0; i < COLS; i++) {
for (size_t j = 0; j < ROWS; j++) {
matrix[i][j] = x;
}
}
}
|
...
In this noncompliant code example, the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, because function g() does not allocate any storage for the member, the expression first++ in find() attempts to form a pointer just past the end of buf when there are no elements. This attempt is undefined behavior 6259. (See MSC21-C. Use robust loop termination conditions for more information.)
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
struct S {
size_t len;
char buf[]; /* Flexible array member */
};
const char *find(const struct S *s, int c) {
const char *first = s->buf;
const char *last = s->buf + s->len;
while (first++ != last) { /* Undefined behavior */
if (*first == (unsigned char)c) {
return first;
}
}
return NULL;
}
void g(void) {
struct S *s = (struct S *)malloc(sizeof(struct S));
if (s == NULL) {
/* Handle error */
}
s->len = 0;
find(s, 'a');
} |
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
#include <stdlib.h>
struct S {
size_t len;
char buf[]; /* Flexible array member */
};
const char *find(const struct S *s, int c) {
const char *first = s->buf;
const char *last = s->buf + s->len;
while (first != last) { /* Avoid incrementing here */
if (*++first == (unsigned char)c) {
return first;
}
}
return NULL;
}
void g(void) {
struct S *s = (struct S *)malloc(sizeof(struct S));
if (s == NULL) {
/* Handle error */
}
s->len = 0;
find(s, 'a');
} |
...
This function fails to check if the allocation succeeds, which is a violation of ERR33-C. Detect and handle standard library errors. If the allocation fails, then malloc() returns a null pointer. The null pointer is added to offset and passed as the destination argument to memcpy(). Because a null pointer does not point to a valid object, the result of the pointer arithmetic is undefined behavior 4643.
An attacker who can supply the arguments to this function can exploit it to execute arbitrary code. This can be accomplished by providing an overly large value for block_size, which causes malloc() to fail and return a null pointer. The offset argument will then serve as the destination address to the call to memcpy(). The attacker can specify the data and data_size arguments to provide the address and length of the address, respectively, that the attacker wishes to write into the memory referenced by offset. The overall result is that the call to memcpy() can be exploited by an attacker to overwrite an arbitrary memory location with an attacker-supplied address, typically resulting in arbitrary code execution.
...
Tool | Version | Checker | Description | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| array-index-range | Partially checked | Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence. This rule is only partially checked as invalid but unused pointers may not be reported. | |||||||||||||||||
| Axivion Bauhaus Suite | CodeSonar
| CodeSonar
| CodeSonar
| CertC-ARR30 | Can detect out-of-bound access to array / buffer | ||||||||||||||||
| CodeSonar |
| LANG.MEM.BO | LANG.MEM.BOBU | Buffer overrun | |||||||||||||||||
| Compass/ROSE | Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | ||||||||||||||||||||
| OVERRUN NEGATIVE_RETURNS ARRAY_VS_SINGLETON BUFFER_SIZE | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically Can detect buffer overflows | |||||||||||||||||||
| Cppcheck |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||||||||||||||
| KlocworkCppcheck Premium |
| Klocwork
| Klocwork
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds premium-cert-arr30-c | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||||||||||||
| Helix QAC |
| C2840 DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953 | |||||||||||||||||||
| Klocwork |
| ABV.GENERAL | ABV.ANY_SIZE_ARRAY|||||||||||||||||||
| LDRA tool suite |
| 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | ||||||||||||||||||
| Parasoft C/C++test |
| CERT_C-ARR30-a | Avoid accessing arrays out of bounds | Parasoft Insure++ | Runtime analysis | Polyspace Bug Finder | |||||||||||||||
| Include Page | Polyspace Bug Finder_V | Polyspace Bug Finder_V | Array access with tainted index | Array index outside bounds during array access Array index from unsecure source possibly outside array bounds Pointer dereferenced outside its bounds Offset is from an unsecure source and dereference may be out of bounds Pointer from an unsecure source may be NULL or point to unknown memory A pointer resulting from arithmetic on a pointer operand shall address an element of the same array as that pointer operand | |||||||||||||||||
| Parasoft Insure++ | Runtime analysis | ||||||||||||||||||||
| PC-lint Plus |
| 413, 415, 416, 613, 661, 662, 676 | Fully supported | ||||||||||||||||||
| Polyspace Bug Finder |
| Checks for:
Rule partially covered. | PRQA QA-C | ||||||||||||||||||
| Include Page | PRQA QA-C_v | PRQA QA-C_v | 2840, 2841, 2842, 2843, 2844, 2930, 2931, 2932, 2933, 2934, 2950, | Partially implemented | PRQA QA-C++ | ||||||||||||||||
| Include Page | cplusplus:PRQA QA-C++_V | cplusplus:PRQA QA-C++_V | 2820, 2821, 2822, 2823, 2824, 2840, 2841, 2842, 2843, 2844, 2930, | Partially implemented | |||||||||||||||||
| PVS-Studio |
| V512, V557, V582, V594, V643, V645, V694, V1086 | |||||||||||||||||||
| RuleChecker |
| array-index-range-constant return-reference-local | Partially checked | ||||||||||||||||||
| TrustInSoft Analyzer |
| index_in_address | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
...
Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-119 = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, ARR38-C) = Ø
...
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-125 = Subset( CWE-119) = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, CWE-125) =
...
Independent(ARR30-C, ARR38-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
...