An Every object has a storage duration that determines its lifetime. There are three storage durations: static, thread, automatic, and or allocated.unmigrated-wiki-markup
According to \[[to the C Standard, 6.2.4, paragraph 2 [ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\]:9899:2024],
The lifetime of an object is the portion of program execution during which storage is guaranteed to be reserved for it. An object exists, has a constant address, and retains
its last-stored value throughout its lifetime. If an object is referred to outside of its lifetime, the behavior is undefined. The value of a pointer becomes indeterminate when
the object it points to reaches the end of its lifetime.
Non-Compliant Code Example 1
If a pointer value is used in an evaluation after the object the pointer points to (or just past) reaches the end of its lifetime, the behavior is undefined.
Do not attempt to access an object outside of its lifetime. Attempting to do so is undefined behavior and can lead to an exploitable vulnerability. (See also undefined behavior 9 in the C Standard, Annex J.)
Noncompliant Code Example (Differing Storage Durations)
In this noncompliant code example, the address of the variable c_str
with automatic storage duration is assigned to the variable p
, which has static storage duration. The assignment itself is valid, but it is invalid for c_str
to go out of scope while p
holds its address, as happens at the end of This non-compliant code example declares the variable p
as a pointer to a constant char
with file scope. The value of str
is assigned to p
within the dont_do_this()
function. However, str
has automatic storage duration so the lifetime of str
ends when the dont_do_this
()
function exits.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdio.h> const char const *p; void dont_do_this(void) { const char const c_str[] = "This will change"; p = c_str; /* dangerousDangerous */ /* ... */ } void innocuous(void) { char const str[] = "Surprise, surprise"printf("%s\n", p); } /* ... */ int main(void) { dont_do_this(); innocuous(); /* now, it is likely that p is pointing to "Surprise, surprise" */ |
As a result of this undefined behavior, it is likely that p
will refer to the string literal "Surprise, surprise"
after the call to the innocuous()
function.
Compliant Solution 1
return 0;
} |
Compliant Solution (Same Storage Durations)
In this compliant solution, the pointer to the constant char p
is moved within the declared with the same storage duration as c_str
, preventing p
from taking on an indeterminate value outside of this_is_OK()
to prevent this variable from being accessed outside of the function.:
Code Block | ||||
---|---|---|---|---|
| ||||
void this_is_OK(void) { const char const c_str[] = "Everything OK"; const char const *p = c_str; /* ... */ } /* pointer p is now inaccessible outside the scope of string c_str */ |
Non-Compliant Code Example 2
In this example, the function func()
incorrectly returns a pointer to a local stack variable.
Alternatively, both p
and c_str
could be declared with static storage duration.
Compliant Solution (Differing Storage Durations)
If it is necessary for p
to be defined with static storage duration but c_str
with a more limited duration, then p
can be set to NULL
before c_str
is destroyed. This practice prevents p
from taking on an indeterminate value, although any references to p
must check for NULL
.
Code Block | ||||
---|---|---|---|---|
| ||||
const char *p;
void is_this_OK(void) {
const char c_str[] = "Everything OK?";
p = c_str;
/* ... */
p = NULL;
}
|
Noncompliant Code Example (Return Values)
In this noncompliant code sample, the function init_array
()
returns a pointer to a character array with automatic storage duration, which is accessible to the caller:
Code Block | ||||
---|---|---|---|---|
| ||||
char *init_array(void | ||||
Code Block | ||||
char * func() { char aarray[10] ; /* Initialize ...array */ return &a[0]array; } |
Compiling with appropriate warning levels should Some compilers generate a warning diagnostic message when a local stack variable pointer to an object with automatic storage duration is returned from a function, as in this example. Programmers should compile code at high warning levels and resolve any diagnostic messages. (See MSC00-C. Compile cleanly at high warning levels.)
Compliant Solution
...
(Return Values)
The solution, in this case, Correcting this example depends on the intent of the programmer. If the intent is to modify the value of a
array
and have it available outside of functhat modification persist outside the scope of init_array()
, then a
the desired behavior can be declared achieved by declaring array
elsewhere and passed passing it as an parameter argument to funcinit_array()
.:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h> void func(char a[] init_array(char *array, size_t len) { /* Initialize array */ return; } int main(void) { char array[10]; init_array(array, sizeof(array) / sizeof(array[0])); /* ... */ return 0; } |
Noncompliant Code Example (Output Parameter)
In this noncompliant code example, the function squirrel_away()
stores a pointer to local variable local
into a location pointed to by function parameter ptr_param
. Upon the return of squirrel_away()
, the pointer ptr_param
points to a variable that has an expired lifetime.
Code Block | ||||
---|---|---|---|---|
| ||||
void squirrel_away(char **ptr_param) { char local[10]; /* Initialize array */ *ptr_param = local; } void rodent(void) { char *ptr; squirrel_away(&ptr); /* ptr is live but invalid here */ } |
Compliant Solution (Output Parameter)
In this compliant solution, the variable local
has static storage duration; consequently, ptr
can be used to reference the local
array within the rodent()
function:
Code Block | ||||
---|---|---|---|---|
| ||||
char local[10]; void squirrel_away(char **ptr_param) { /* Initialize array/* Operate on a */ return; *ptr_param = local; } void rodent(void) { char *ptr; squirrel_away(&ptr); /* ptr is valid in this scope */ } |
Risk Assessment
Referencing an object outside of its lifetime could can result in an attacker being able to run execute arbitrary code.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
DCL30-C |
3 (high)
2 (probable)
High | Probable | High | P6 | L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
...
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| pointered-deallocation return-reference-local | Fully checked | ||||||
Axivion Bauhaus Suite |
| CertC-DCL30 | Fully implemented | ||||||
CodeSonar |
| LANG.STRUCT.RPL | Returns pointer to local | ||||||
Compass/ROSE | Can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope, would be difficult | ||||||||
| RETURN_LOCAL | Finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary | |||||||
Cppcheck |
| danglingLifetime | Fully implemented | ||||||
Cppcheck Premium |
| danglingLifetime | Fully implemented | ||||||
Helix QAC |
| C3217, C3225, C3230, C4140 C++2515, C++2516, C++2527, C++2528, C++4026, C++4624, C++4629 | Fully implemented | ||||||
Klocwork |
| LOCRET.ARG | Fully implemented | ||||||
LDRA tool suite |
| 42 D, 77 D, 71 S, 565 S | Enhanced Enforcement | ||||||
Parasoft C/C++test |
| CERT_C-DCL30-a | The address of an object with automatic storage shall not be returned from a function | ||||||
PC-lint Plus |
| 604, 674, 733, 789 | Partially supported | ||||||
Polyspace Bug Finder |
| Checks for pointer or reference to stack variable leaving scope (rule fully covered) | |||||||
PVS-Studio |
| V506, V507, V558, V623, V723, V738 | |||||||
RuleChecker |
| return-reference-local | Partially checked | ||||||
Splint |
| ||||||||
TrustInSoft Analyzer |
| dangling_pointer | Exhaustively detects undefined behavior (see one compliant and one non-compliant example). |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | MSC00-C. Compile cleanly at high warning levels | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT C | EXP54-CPP. Do not access an object outside of its lifetime | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Dangling References |
...
to Stack Frames [DCM] | Prior to 2018-01-12: CERT: Unspecified Relationship | |
ISO/IEC TS 17961 | Escaping of the address of an automatic object [addrescape] | Prior to 2018-01-12: CERT: Unspecified Relationship |
MISRA C:2012 | Rule 18.6 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-562 and DCL30-C
DCL30-C = Union( CWE-562, list) where list =
- Assigning a stack pointer to an argument (thereby letting it outlive the current function
Bibliography
[Coverity 2007] | |
[ISO/IEC 9899:2024] | 6.2.4, |
...
"Storage Durations of Objects" |
...
durations of objects," and Section 7.20.3, "Memory management functions"