SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 21

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version Current

changes.mady.by.user Swasti Shrivastava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Potentially exploitable The C Standard identifies the following distinct situations in which undefined behavior (UB) can arise as a result from any of the following:

...

of invalid pointer operations:

UB

Description

Example Code

46

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just

...

beyond, the same array object

...

.

Forming Out-of-Bounds Pointer, Null Pointer Arithmetic

47

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

Dereferencing Past the End Pointer, Using Past the End Index

49

An array subscript is out of range, even if an object is apparently accessible with the given subscript, for example, in the lvalue expression a[1][7] given the declaration int a[4][5]).

Apparently Accessible Out-of-Range Index

62

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

Pointer Past Flexible Array Member

Anchor
Forming Out-of-Bounds Pointer
Forming Out-of-Bounds Pointer
Noncompliant Code Example (Forming Out-of-Bounds Pointer)

In this noncompliant code example, the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined behavior 46. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced triggers a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.

Code Block
bgColor#ffcccc
langc
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int *f(int index) {
  if (index < TABLESIZE) {
    return table + index;
  }
  return NULL;
}

Compliant Solution

One compliant solution is to detect and reject invalid values of index if using them in pointer arithmetic would result in an invalid pointer:

Code Block
bgColor#ccccff
langc
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int *f(int index) {
  if (index >= 0 && index < TABLESIZE) {
    return table + index;
  }
  return NULL;
}

Compliant Solution

Another slightly simpler and potentially more efficient compliant solution is to use an unsigned type to avoid having to check for negative values while still rejecting out-of-bounds positive values of index:

Code Block
bgColor#ccccff
langc
#include <stddef.h>
 
enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int *f(size_t

Wiki Markup
The C99 standard \[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:

UB

Description

Example Code

43

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object.

#Forming Out Of Bounds Pointer

44

Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary * operator that is evaluated.

#Dereferencing Past The End Pointer, #Using Past The End Index

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="e9a100e5-e074-4e1f-a62f-e78321ed65e1"><ac:plain-text-body><![CDATA[

[46

CC. Undefined Behavior#ub_46]

An array subscript is out of range, even if an object is apparently accessible with the given subscript (as in the lvalue expression a[1][7] given the declaration int a[4][5]).

[#Apparently Accessible Out Of Range Index]

]]></ac:plain-text-body></ac:structured-macro>

59

An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array.

#Pointer Past Flexible Array Member

103

The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.

#Invalid Access By Library Function

...

Noncompliant Code Example (Forming Out Of Bounds Pointer)

In the following noncompliant code example the function f() attempts to validate the index before using it as an offset to the statically allocated table of integers. However, the function fails to reject negative index values. When index is less than zero, the behavior of the addition expression in the return statement of the function is undefined 43. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.

Code Block
bgColor#ffcccc
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (index < TABLESIZE) {
    return table + index;
  }
  return NULL;
}

Compliant Solution

One compliant solution is to detect and reject invalid values of index if using them in pointer arithmetic would result in an invalid pointer.

Code Block
bgColor#ccccff
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(int index) {
  if (0 <= index && index < TABLESIZE)
    return table + index;

  return NULL;
}

Compliant Solution

Another, slightly simpler and potentially more efficient compliant solution is to use an unsigned type to avoid having to check for negative values while still rejecting out of bounds positive values of index.

Code Block
bgColor#ccccff
langc

enum { TABLESIZE = 100 };

static int table[TABLESIZE];

int* f(size_t index) {
  if (index < TABLESIZE)
    return table + index;

  return NULL;
}

...

Anchor
Dereferencing Past the End Pointer
Dereferencing Past the End Pointer
Noncompliant Code Example (Dereferencing Past-the-End Pointer)

This noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while loop in the GetMachineName() function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1 elements, the final valid iteration of the loop will dereference past the end pointer, resulting in exploitable  undefined behavior 47. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Improper Restriction of Operations within the Bounds of a Memory Buffer," and CWE-121, "Stack-based Buffer Overflow" [MITRE 2013].

Code Block
bgColor#ffcccc
langc
error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while (*pwszTemp != L'\\')
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

Compliant Solution

In this compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null-termination character (L'\0') is discovered, or the end of the buffer is reached. Or, as coded, the while loop continues as long as each character is neither a backslash nor a null character and is not at the end of the buffer. This code does not result in a buffer overflow even if no backslash character is found in wszMachineName.

Code Block
bgColor#ccccff
langc
HRESULT GetMachineName(
  wchar_t *pwszPath,
  wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  wchar_t *pwszServerName = wszMachineName;
  wchar_t *pwszTemp = pwszPath + 2;
  wchar_t *end_addr
    = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN;
  while ((*pwszTemp != L'\\') &&
         (*pwszTemp != L'\0') &&
         (pwszServerName < end_addr))
  {
    *pwszServerName++ = *pwszTemp++;
  }

  /* ... */
}

This compliant solution is for illustrative purposes and is not necessarily the solution implemented by Microsoft. This particular solution may not be correct because there is no guarantee that a backslash is found.

Anchor
Using Past the End Index
Using Past the End Index
Noncompliant Code Example (Using Past-the-End Index)

Similar to the dereferencing-past-the-end-pointer error, the function insert_in_table() in this noncompliant code example uses an otherwise valid index to attempt to store a value in an element just past the end of an array.

First, the function incorrectly validates the index pos against the size of the buffer. When pos is initially equal to size, the function attempts to store value in a memory location just past the end of the buffer.

Second, when the index is greater than size, the function modifies size before growing the size of the buffer. If the call to realloc() fails to increase the size of the buffer, the next call to the function with a value of pos equal to or greater than the original value of size will again attempt to store value in a memory location just past the end of the buffer or beyond.

Third, the function violates INT30-C. Ensure that unsigned integer operations do not wrap, which could lead to wrapping when 1 is added to pos or when size is multiplied by the size of int.

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-122, "Heap-based Buffer Overflow," and CWE-129, "Improper Validation of Array Index" [MITRE 2013].

Code Block
bgColor#ffcccc
langc
#include <stdlib.h>
 
static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int *)realloc(table, sizeof(*table) * size);
    if (tmp == NULL) {
      return -1;   /* Failure */
    }
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

Compliant Solution

This compliant solution correctly validates the index pos by using the <= relational operator, ensures the multiplication will not overflow, and avoids modifying size until it has verified that the call to realloc() was successful:

Code Block
bgColor#ccccff
langc
#include <stdint.h>
#include <stdlib.h>
 
static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size <= pos) {
    if ((SIZE_MAX - 1 < pos) ||
        ((pos + 1) > SIZE_MAX / sizeof(*table))) {
      return -1;
    }
 
    int *tmp = (int *)realloc(table, sizeof(*table) * (pos + 1)

...

Noncompliant Code Example (Dereferencing Past The End Pointer)

Wiki Markup
The following noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm.  The error is that the while loop in the {{GetMachineName()}} function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by {{pwszTemp}} does not contain the backslash character among the first {{MAX_COMPUTERNAME_LENGTH_FQDN + 1}} elements, the final valid iteration of the loop will dereference the past the end pointer resulting in exploitable undefined behavior [44|CC. Undefined Behavior#ub_44]. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million \[[Pethia 2003|AA. Bibliography#Pethia 03]\].

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer" and CWE-121, "Stack-based Buffer Overflow."

Code Block
bgColor#ffcccc
langc

error_status_t _RemoteActivation(
      /* ... */, WCHAR *pwszObjectName, ... ) {
   *phr = GetServerPath(
              pwszObjectName, &pwszObjectName);
    /* ... */
}

HRESULT GetServerPath(
  WCHAR *pwszPath, WCHAR **pwszServerPath ){
  WCHAR *pwszFinalPath = pwszPath;
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1];
  hr = GetMachineName(pwszPath, wszMachineName);
  *pwszServerPath = pwszFinalPath;
}

HRESULT GetMachineName(
  WCHAR *pwszPath,
  WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  pwszServerName = wszMachineName;
  LPWSTR pwszTemp = pwszPath + 2;
  while ( *pwszTemp != L'\\' )
    *pwszServerName++ = *pwszTemp++;
  /* ... */
}

Compliant Solution

In the following compliant solution, the while loop in the GetMachineName() function is bounded so that the loop terminates when a backslash character is found, the null termination character (L'\0' is discovered, or when the end of the buffer is reached. This code does not result in a buffer overflow, even if no backslash character is found in wszMachineName.

Code Block
bgColor#ccccff
langc

HRESULT GetMachineName(
  wchar_t *pwszPath,
  wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1])
{
  wchar_t *pwszServerName = wszMachineName;
  wchar_t *pwszTemp = pwszPath + 2;
  wchar_t *end_addr
    = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN;
  while ( (*pwszTemp != L'\\')
     &&  ((*pwszTemp != L'\0'))
     && (pwszServerName < end_addr) )
  {
    *pwszServerName++ = *pwszTemp++;
  }

  /* ... */
}

This compliant solution is for illustrative purposes and is not necessarily the solution implemented by Microsoft. This particular "solution" may not be correct because there is no guarantee that a backslash is found.

...

Noncompliant Code Example (Using Past The End Index)

Similarly to the #Dereferencing Past The End Pointer error, the function insert_in_table() in the following noncompliant code example uses an otherwise valid index to attempt to store a value in an element just past the end of an array.

First, the function incorrectly validates the index pos against the size of the buffer. When the index is equal to size the function will attempt to store value in a memory location just past the end of the buffer.

Second, when the index is greater than size the function modifies size before growing the size of the buffer. If the call to realloc() fails to increase the size of the buffer, the next call to the function with a value of pos equal to or greater than the original value of size will again attempt to store value in a memory location just past the end of the buffer or beyond.

For a discussion of this programming error in the Common Weakness Enumeration database see CWE-122, "Heap-based Buffer Overflow" and CWE-129, "Improper Validation of Array Index."

Code Block
bgColor#ffcccc
langc

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size < pos) {
    int *tmp;
    size = pos + 1;
    tmp = (int*)realloc(table, sizeof *table * size);
    if (NULLtmp == tmpNULL) {
      return -1;
    }
    /* Modify size only after realloc() succeeds */
    size  = pos + 1;
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

Compliant Solution

The following compliant solution correctly validates the index pos by using the <= operator and avoids modifying size until it has verified that the call to realloc() was successful.

Code Block
bgColor#ccccff
langc

static int *table = NULL;
static size_t size = 0;

int insert_in_table(size_t pos, int value) {
  if (size <= pos) {
    int *tmp = (int*)realloc(table, sizeof *table * (pos + 1));
    if (NULL == tmp)
      return -1;   /* indicate failure */

    /* modify size only after realloc succeeds */
    size  = pos + 1;
    table = tmp;
  }

  table[pos] = value;
  return 0;
}

...

Noncompliant Code Example (Apparently Accessible Out Of Range Index)

Wiki Markup
The following noncompliant code example declares {{matrix}} to consist of 7 rows and 5 columns in row-major order. The function {{init_matrix}} then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument {{x}}. However, since multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, when the value of {{j}} reaches the value {{COLS}} during the first iteration of the outer loop, the function attempts to access element {{matrix\[0\]\[5\]}}. Since the type of {{matrix}} is {{int\[7\]\[5\]}}, the {{j}} subscript is out of range, and the access has undefined behavior [46|CC. Undefined Behavior#ub_46].

Code Block
bgColor#ffcccc
langc

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != COLS; ++i)
    for (size_t j = 0; j != ROWS; ++j)
      matrix[i][j] = x;
}

Compliant Solution

The following compliant solution avoids using out-of-range indices by initializing matrix elements in the same row-major order as multidimensional objects are declared in C.

Code Block
bgColor#ccccff
langc

static const size_t COLS = 5;
static const size_t ROWS = 7;

static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i != ROWS; ++i)
    for (size_t j = 0; j != COLS; ++j)
      matrix[i][j] = x;
}

...

Noncompliant Code Example (Pointer Past Flexible Array Member)

In the following noncompliant code example the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, since function g() does not allocate any storage for the member, the expression first++ in find() will attempt to form a pointer just past the end of buf when there are no elements. This attempt results in undefined behavior 59.

Code Block
bgColor#ffcccc
langc

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first++ != last)   /* undefined behavior here */
    if (*first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

Compliant Solution

The following compliant solution avoids incrementing the pointer unless a value past the pointer's current value is known to exist.

Code Block
bgColor#ccccff
langc

struct S {
  size_t len;
  char   buf[];   /* flexible array member */
};

char* find(const struct S *s, int c) {
  char *first = s->buf;
  char *last  = s->buf + s->len;

  while (first != last)   /* avoid incrementing here */
    if (*++first == (unsigned char)c)
      return first;

  return NULL;
}

void g() {
  struct S *s = (struct S*)malloc(sizeof (struct S));
  s->len = 0;
  /* ... */
  char *where = find(s, '.');
  /* ... */
}

...

Noncompliant Code Example (Invalid Access By Library Function)

In the following noncompliant code example, the function f() calls fread() to read nitems of type wchar_t, each size bytes in size, into an array of BUFSIZ elements, wbuf. However, the expression used to compute the value of nitems fails to account for the fact that, unlike the size of char, the size of wchar_t may be greater than 1. Thus, fread() could attempt to form pointers past the end of wbuf and use them to assign values to non-existing elements of the array. Such an attempt results in undefined behavior 103. A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.

For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121, "Access of Memory Location After End of Buffer" and CWE-805, "Buffer Access with Incorrect Length Value."

Code Block
bgColor#ffcccc
langc

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

Compliant Solution

The following compliant solution correctly computes the maximum number of items for fread() to read from the file.

Code Block
bgColor#ccccff
langc

void f(FILE *file) {
  wchar_t wbuf[BUFSIZ];

  const size_t size = sizeof *wbuf;
  const size_t nitems = sizeof wbuf / size;

  size_t nread;

  nread = fread(wbuf, size, nitems, file);
  /* ... */
}

Risk Assessment

Accessing out of range pointers or array subscripts for writing can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process or unintended information disclosure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR30-C

high

likely

high

P9

L2

Automated Detection

...

Tool

...

Version

...

Checker

...

Description

...

Section

Coverity Prevent

...

Section

ARRAY_VS_SINGLETON

...

Section

can detect the access of memory past the end of a memory buffer/array

...

Section

Coverity Prevent

...

Section

NEGATIVE_RETURNS

...

Section

can detect when the loop bound may become negative

...

Section

Coverity Prevent

...

Section

OVERRUN_STATIC OVERRUN_DYNAMIC

...

Section

can detect the out of bound read/write to array allocated statically or dynamically

...

Section

Klocwork

...

Section

ABV.ITERATOR SV.TAINTED.LOOP_BOUND

...

 

...

Section

Compass/ROSE

...

 

...

 

...

Section

could be configured to catch violations of this rule. The way to catch the NCE is to first hunt for example code that follows this pattern:

Code Block

for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer.

Once this case is handled, we can handle cases like the real NCE, which is effectively the same semantics, just different syntax.

Anchor
Apparently Accessible Out-of-Range Index
Apparently Accessible Out-of-Range Index
Noncompliant Code Example (Apparently Accessible Out-of-Range Index)

This noncompliant code example declares matrix to consist of 7 rows and 5 columns in row-major order. The function init_matrix iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x. However, because multidimensional arrays are declared in C in row-major order, the function iterates over the elements in column-major order, and when the value of j reaches the value COLS during the first iteration of the outer loop, the function attempts to access element matrix[0][5]. Because the type of matrix is int[7][5], the j subscript is out of range, and the access has undefined behavior 49.

Code Block
bgColor#ffcccc
langc
#include <stddef.h>
#define COLS 5
#define ROWS 7
static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i < COLS; i++) {
    for (size_t j = 0; j < ROWS; j++) {
      matrix[i][j] = x;
    }
  }
}

Compliant Solution

This compliant solution avoids using out-of-range indices by initializing matrix elements in the same row-major order as multidimensional objects are declared in C:

Code Block
bgColor#ccccff
langc
#include <stddef.h>
#define COLS 5
#define ROWS 7
static int matrix[ROWS][COLS];

void init_matrix(int x) {
  for (size_t i = 0; i < ROWS; i++) {
    for (size_t j = 0; j < COLS; j++) {
      matrix[i][j] = x;
    }
  }
}

Anchor
Pointer Past Flexible Array Member
Pointer Past Flexible Array Member
Noncompliant Code Example (Pointer Past Flexible Array Member)

In this noncompliant code example, the function find() attempts to iterate over the elements of the flexible array member buf, starting with the second element. However, because function g() does not allocate any storage for the member, the expression first++ in find() attempts to form a pointer just past the end of buf when there are no elements. This attempt is undefined behavior 62. (See MSC21-C. Use robust loop termination conditions for more information.)

Code Block
bgColor#ffcccc
langc
#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first++ != last) { /* Undefined behavior */
    if (*first == c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

Compliant Solution

This compliant solution avoids incrementing the pointer unless a value past the pointer's current value is known to exist:

Code Block
bgColor#ccccff
langc
#include <stdlib.h>
 
struct S {
  size_t len;
  char buf[];  /* Flexible array member */
};

const char *find(const struct S *s, int c) {
  const char *first = s->buf;
  const char *last  = s->buf + s->len;

  while (first != last) { /* Avoid incrementing here */
    if (*++first == c) {
      return first;
    }
  }
  return NULL;
}
 
void g(void) {
  struct S *s = (struct S *)malloc(sizeof(struct S));
  if (s == NULL) {
    /* Handle error */
  }
  s->len = 0;
  find(s, 'a');
}

Anchor
Null Pointer Arithmetic
Null Pointer Arithmetic
Noncompliant Code Example (Null Pointer Arithmetic)

This noncompliant code example is similar to an Adobe Flash Player vulnerability that was first exploited in 2008. This code allocates a block of memory and initializes it with some data. The data does not belong at the beginning of the block, which is left uninitialized. Instead, it is placed offset bytes within the block. The function ensures that the data fits within the allocated block. 

Code Block
bgColor#ffcccc
langc
#include <string.h>
#include <stdlib.h>

char *init_block(size_t block_size, size_t offset,
                 char *data, size_t data_size) {
  char *buffer = malloc(block_size);
  if (data_size > block_size || block_size - data_size < offset) {
    /* Data won't fit in buffer, handle error */
  }
  memcpy(buffer + offset, data, data_size);
  return buffer;
}

This function fails to check if the allocation succeeds, which is a violation of ERR33-C. Detect and handle standard library errors. If the allocation fails, then malloc() returns a null pointer. The null pointer is added to offset and passed as the destination argument to memcpy(). Because a null pointer does not point to a valid object, the result of the pointer arithmetic is undefined behavior 46.

An attacker who can supply the arguments to this function can exploit it to execute arbitrary code. This can be accomplished by providing an overly large value for block_size, which causes malloc() to fail and return a null pointer. The offset argument will then serve as the destination address to the call to memcpy(). The attacker can specify the data and data_size arguments to provide the address and length of the address, respectively, that the attacker wishes to write into the memory referenced by offset. The overall result is that the call to memcpy() can be exploited by an attacker to overwrite an arbitrary memory location with an attacker-supplied address, typically resulting in arbitrary code execution.

Compliant Solution  (Null Pointer Arithmetic)

This compliant solution ensures that the call to malloc() succeeds:

Code Block
bgColor#ccccff
langc
#include <string.h>
#include <stdlib.h>

char *init_block(size_t block_size, size_t offset,
                 char *data, size_t data_size) {
  char *buffer = malloc(block_size);
  if (NULL == buffer) {
    /* Handle error */
  }
  if (data_size > block_size || block_size - data_size < offset) {
    /* Data won't fit in buffer, handle error */
  }
  memcpy(buffer + offset, data, data_size);
  return buffer;
}

Risk Assessment

Writing to out-of-range pointers or array subscripts can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process. Reading from out-of-range pointers or array subscripts can result in unintended information disclosure.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ARR30-C

High

Likely

High

P9

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

array-index-range
array-index-range-constant
null-dereferencing
pointered-deallocation
return-reference-local

Partially checked

Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence.

This rule is only partially checked as invalid but unused pointers may not be reported.

Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-ARR30
Can detect out-of-bound access to array / buffer
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

LANG.MEM.BO
LANG.MEM.BU
LANG.MEM.TBA
LANG.MEM.TO
LANG.MEM.TU
LANG.STRUCT.PARITH
LANG.STRUCT.PBB
LANG.STRUCT.PPE
BADFUNC.BO.*

Buffer overrun
Buffer underrun
Tainted buffer access
Type overrun
Type underrun
Pointer Arithmetic
Pointer before beginning of object
Pointer past end of object
A collection of warning classes that report uses of library functions prone to internal buffer overflows.

Compass/ROSE

Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern:

   for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
   *pwszTemp++;)

In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax

Coverity

Include Page
Coverity_V
Coverity_V

OVERRUN

NEGATIVE_RETURNS

ARRAY_VS_SINGLETON

BUFFER_SIZE

Can detect the access of memory past the end of a memory buffer/array

Can detect when the loop bound may become negative

Can detect the out-of-bound read/write to array allocated statically or dynamically

Can detect buffer overflows

Cppcheck
Include Page
Cppcheck_V
Cppcheck_V

arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond,  possibleBufferAccessOutOfBounds

Context sensitive analysis of array index, pointers, etc.

Array index out of bounds

Buffer overflow when calling various functions memset,strcpy,..

Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond,  possibleBufferAccessOutOfBounds

premium-cert-arr30-c

Context sensitive analysis of array index, pointers, etc.

Array index out of bounds

Buffer overflow when calling various functions memset,strcpy,..

Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead

Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C2840

DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953


Klocwork
Include Page
Klocwork_V
Klocwork_V

ABV.GENERAL
ABV.GENERAL.MULTIDIMENSION
NPD.FUNC.CALL.MIGHT
ABV.ANY_SIZE_ARRAY
ABV.STACK
ABV.TAINTED
ABV.UNICODE.BOUND_MAP
ABV.UNICODE.FAILED_MAP
ABV.UNICODE.NNTS_MAP
ABV.UNICODE.SELF_MAP
ABV.UNKNOWN_SIZE
NNTS.MIGHT
NNTS.MUST
NNTS.TAINTED
SV.TAINTED.INDEX_ACCESS
SV.TAINTED.LOOP_BOUND


LDRA tool suite
 
Include Page
LDRA_V
LDRA_V

45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X

Partially implemented
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V
CERT_C-ARR30-a
Avoid accessing arrays out of bounds
Parasoft Insure++

Runtime analysis
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

413, 415, 416, 613, 661, 662, 676

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule ARR30-C

Checks for:

  • Array access out of bounds
  • Pointer access out of bounds
  • Array access with tainted index
  • Use of tainted pointer
  • Pointer dereference with tainted offset

Rule partially covered.

PVS-Studio

Include Page
PVS-Studio_V
PVS-Studio_V

V512, V557, V582, V594, V643, V645, V694, V1086
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V

array-index-range-constant
return-reference-local		Partially checked
TrustInSoft Analyzer

Include Page
TrustInSoft Analyzer_V
TrustInSoft Analyzer_V

index_in_address

Exhaustively verified (see one compliant and one non-compliant example).

Related Vulnerabilities

CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

ISO/IEC TR 24772:2013Arithmetic Wrap-Around Error [FIF]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Unchecked Array Indexing [XYZ]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961Forming or using out-of-bounds pointers or array subscripts [invptr]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer2017-05-18: CERT: Rule subset of CWE
CWE 2.11CWE-123, Write-what-where Condition2017-05-18: CERT: Partial overlap
CWE 2.11CWE-125, Out-of-bounds Read2017-05-18: CERT: Partial overlap
MISRA C:2012Rule 18.1 (required)Prior to 2018-01-12: CERT: Unspecified Relationship

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-119 and ARR30-C

Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C)

STR31-C = Subset( Union( ARR30-C, ARR38-C))

STR32-C = Subset( ARR38-C)

CWE-119 = Union( ARR30-C, ARR38-C)

Intersection( ARR30-C, ARR38-C) = Ø

CWE-394 and ARR30-C

Intersection( ARR30-C, CWE-394) = Ø

CWE-394 deals with potentially-invalid function return values. Which may be used as an (invalid) array index, but validating the return value is a separate operation.

CWE-125 and ARR30-C

Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)

STR31-C = Subset( Union( ARR30-C, ARR38-C))

STR32-C = Subset( ARR38-C)

CWE-125 = Subset( CWE-119) = Union( ARR30-C, ARR38-C)

Intersection( ARR30-C, CWE-125) =

  • Reading from an out-of-bounds array index, or off the end of an array

ARR30-C – CWE-125 =

  • Writing to an out-of-bounds array index, or off the end of an array

CWE-125 – ARR30-C =

  • Reading beyond a non-array buffer
  • Using a library function to achieve an out-of-bounds read.

CWE-123 and ARR30-C

Independent(ARR30-C, ARR38-C)

STR31-C = Subset( Union( ARR30-C, ARR38-C))

STR32-C = Subset( ARR38-C)

Intersection( CWE-123, ARR30-C) =

  • Write of arbitrary value to arbitrary (probably invalid) array index

ARR30-C – CWE-123 =

  • Read of value from arbitrary (probably invalid) array index
  • Construction of invalid index (pointer arithmetic)

CWE-123 – ARR30-C =

  • Arbitrary writes that do not involve directly constructing an invalid array index

CWE-129 and ARR30-C

Independent( ARR30-C, ARR32-C, INT31-C, INT32-C)

ARR30-C = Union( CWE-129, list), where list =

  • Dereferencing an out-of-bounds array index, where index is a trusted value
  • Forming an out-of-bounds array index, without dereferencing it, whether or not index is a trusted value. (This excludes the array’s TOOFAR index, which is one past the final element; this behavior is well-defined in C11.)

CWE-120 and ARR30-C

See CWE-120 and MEM35-C

CWE-122 and ARR30-C

Intersection( ARR30-C, CWE-122) = Ø

CWE-122 specifically addresses buffer overflows on the heap operations, which occur in the context of string-copying. ARR30 specifically addresses improper creation or references of array indices. Which might happen as part of a heap buffer overflow, but is on a lower programming level.

CWE-20 and ARR30-C

See CWE-20 and ERR34-C

CWE-687 and ARR30-C

Intersection( CWE-687, ARR30-C) = Ø

ARR30-C is about invalid array indices which are created through pointer arithmetic, and dereferenced through an operator (* or []). Neither involve function calls, thus CWE-687 does not apply.

CWE-786 and ARR30-C

ARR30-C = Union( CWE-786, list) where list =

  • Access of memory location after end of buffer
  • Construction of invalid arry reference (pointer). This does not include an out-of-bounds array index (an integer).

CWE-789 and ARR30-C

Intersection( CWE-789, ARR30-C) = Ø

CWE-789 is about allocating memory, not array subscripting

Bibliography

[Finlay 2003]
[Microsoft 2003]
[Pethia 2003]
[Seacord 2013b]Chapter 1, "Running with Scissors"
[Viega 2005]Section 5.2.13, "Unchecked Array Indexing"
[xorl 2009 ]"CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"


...

Image Added Image Added Image Added

...

Section

LDRA tool suite

...

Section

47 S
476 S
64 X
68 X
69 X

...

Section

Partially Implemented

Related Vulnerabilities

Wiki Markup
[CVE-2008-1517|http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1517] results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified, user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory \[[xorl 2009|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]\].

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

ISO/IEC 9899:1999 Section 6.7.5.2, "Array declarators"

ISO/IEC TR 24772 "XYX Boundary Beginning Violation," "XYY Wrap-around Error," and "XYZ Unchecked Array Indexing"

MITRE CWE: CWE-119, "Failure to Constrain Operations within the Bounds of a Memory Buffer"

MITRE CWE: CWE-121, "Stack-based Buffer Overflow"

MITRE CWE: CWE-122, "Heap-based Buffer Overflow"

MITRE CWE: CWE-129, "Unchecked Array Indexing"

MITRE CWE: CWE-788, "Access of Memory Location After End of Buffer"

MITRE CWE: CWE-805, "Buffer Access with Incorrect Length Value"

Bibliography

Wiki Markup
\[[Finlay 2003|AA. Bibliography#Finlay 03]\]
\[[Microsoft 2003|AA. Bibliography#Microsoft 03]\]
\[[Pethia 2003|AA. Bibliography#Pethia 03]\]
\[[Seacord 2005a|AA. Bibliography#Seacord 05]\] Chapter 1, "Running with Scissors"
\[[Viega 2005|AA. Bibliography#Viega 05]\] Section 5.2.13, "Unchecked array indexing"
\[[xorl 2009|AA. Bibliography#xorl 2009] \] ["CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation"|http://xorl.wordpress.com/2009/06/09/cve-2008-1517-apple-mac-os-x-xnu-missing-array-index-validation/]

ARR02-C. Explicitly specify array bounds, even if implicitly defined by an initializer      06. Arrays (ARR)      ARR31-C. Use consistent array notation across all source files