...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> enum { N1 = 4096 }; void *func(size_t n2) { typedef int A[n2][N1]; A *array = malloc(sizeof(A)); if (!array) { /* Handle error */ return NULL; } for (size_t i = 0; i != n2; ++i) { memset(array[i], 0, N1 * sizeof(int)); } return array; } |
Furthermore, this code also violates ARR39-C. Do not add or subtract a scaled integer to a pointer, where array
is a pointer to the two-dimensional array, where it should really be a pointer to the latter dimension instead. This means that the memset()
call does out-of-bounds writes on all of its invocations except the first.
Compliant Solution (sizeof
)
This compliant solution prevents sizeof
wrapping by detecting the condition before it occurs and avoiding the subsequent computation when the condition is detected. The code also uses an additional typedef to fix the type of array
so that memset()
never writes past the two-dimensional array.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdint.h> #include <stdlib.h> #include <string.h> enum { N1 = 4096 }; void *func(size_t n2) { if (n2 > SIZE_MAX / (N1 * sizeof(int))) { /* Prevent sizeof wrapping */ return NULL; } typedef int A1[N1]; typedef A1 A[n2][N1]; AA1 *array = (A1*) malloc(sizeof(A)); if (!array) { /* Handle error */ return NULL; } for (size_t i = 0; i != n2; ++i) { memset(array[i], 0, N1 * sizeof(int)); } return array; } |
...
Failure to properly specify the size of a variable length array may allow arbitrary code execution or result in stack exhaustion.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR32-C | High | Probable | High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| ALLOC.SIZE.IOFLOW | Integer Overflow of Allocation Size | ||||||
Coverity |
| REVERSE_NEGATIVE | Fully implemented | |||||||
Cppcheck |
| negativeArraySize | Context sensitive analysis | ||||||
Cppcheck Premium |
| negativeArraySize premium-cert-arr32-c | Context sensitive analysis Will warn only if given size is negative | ||||||
Helix QAC |
| C1051 | |||||||
Klocwork |
| MISRA.ARRAY.VAR_LENGTH.2012 | |||||||
LDRA tool suite |
| 621 S | Enhanced enforcement |
Size of the variable-length array (VLA) is from an unsecure source and may be zero, negative, or too large
Parasoft C/C++test |
| CERT_C-ARR32-a | Ensure the size of the variable length array is in valid range | ||||||
PC-lint Plus |
| 9035 | Assistance provided | ||||||
Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||
TrustInSoft Analyzer |
| alloca_bounds | Exhaustively verified. |
Will warn only if given size is negative
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | INT01-C. Use rsize_t or size_t for all integer values representing the size of an object | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961:2013 | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-758 | 2017-06-29: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-129 and ARR32-C
Intersection( CWE-188, EXP39-C) = Ø
ARR32-C addresses specifying the size of a variable-length array (VLA). CWE-129 addresses invalid array indices, not array sizes.
CWE-758 and ARR32-C
Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( ARR32-C, list) where list =
- Undefined behavior that results from anything other than too large a VLA dimension.
CWE-119 and ARR32-C
- Intersection( CWE-119, ARR32-C) = Ø
- ARR32-C is not about providing a valid buffer but reading/writing outside it. It is about providing an invalid buffer, or one that exhausts the stack.
Bibliography
...
...