Page History

  The Standard C Library uses void * to declare parameters and return types of functions designed to work for objects of different types.  Such is the case with the standard memory allocation functions malloc, calloc, and realloc.

For example, the Library declares malloc as:

void *malloc(size_t);

 type.

Code that follows this recommendation will compile and execute equally well in C++.


h2. Non-Compliant Code Example


The argument to malloc can be *any* value of (unsigned) type size_t.  If the program uses the allocated storage to represent an object (possibly an array) whose size is greater than the requested size, the behavior is undefined.  The implicit pointer conversion lets this slip by without complaint from the compiler.

For example,

{code:bgColor=#FFcccc}
#include <stdlib.h>

typedef struct gadget gadget;
struct gadget {
    int i;
	  double d;
};

typedef struct widget widget;
struct widget {
	  char c[10];
    int i;
	  double d;
};

widget *p;

/* ... */

p = malloc(sizeof(gadget)); /* imminentImminent problem */
if (p != NULL) {
    p->i = 0;                 /* undefinedUndefined behavior */
	  p->d = 0.0;               /* undefinedUndefined behavior */
}
{code}

 produce undefined behavior. They'll likely produce memory overruns.


h2. Compliant Solution


Casting the result of malloc to the appropriate pointer type enables the compiler to catch subsequent inadvertant pointer conversions.  When allocating individual objects, the "appropriate pointer type" is a pointer to the type argument in the sizeof expression passed to malloc, as in:

{code:bgColor=#ccccff}
widget *p;

/* ... */

p = (gadget *)malloc(sizeof(gadget)); /* invalidInvalid assignment */
{code}

Here, malloc allocates space for a gadget and the cast immediately converts the returned pointer to a gadget *.  This lets the compiler detect the invalid assignment, because it attempts to convert a gadget * into a widget *.

Repeating the same type in the sizeof expression and the pointer cast is easy to do, but still invites errors.  Packaging the repetition in a macro, such as:

{code:bgColor=#ccccff}

widget *p;

/* ... */

p = (widget *)malloc(sizeof(widget));

#define MALLOC(type) ((type *)malloc(sizeof(type)))
{code}

:

{code:bgColor=#ccccff}
#define MALLOC_ARRAY(number, type) \
    ((type *)malloc((number) * sizeof(type)))

 expression:

enum { N = 16 };
widget *p;

/* ... */

p = MALLOC_ARRAY(N, widget);    /* OK */

/* Allocates a single object using malloc() */{code}

h2. Compliant Solution
A small collection of macros can provide secure implementations for common uses for the standard memory allocation functions.

{code:bgColor=#ccccff}
#define MALLOC(type) ((type *)malloc(sizeof(type)))

allocates a single object/* Allocates an array of objects using malloc.() */

#define MALLOC_ARRAY(number, type) \
    ((type *)malloc((number) * sizeof(type)))


allocates an/* 
 * Allocates a single object with a flexible
 * array ofmember objects using malloc().
 */
#define MALLOC_FLEX(stype, number, etype) \
    ((stype *)malloc(sizeof(stype) \
    + (number) * sizeof(etype)))

allocates/* aAllocates singlean objectarray withof aobjects flexibleusing array member using malloc.

calloc() */
#define CALLOC(number, type) \
    ((type *)calloc(number, sizeof(type)))

allocates/* Reallocates an array of objects using calloc.
 realloc() */
#define REALLOC_ARRAY(pointer, number, type) \
    ((type *)realloc(pointer, (number) * sizeof(type)))


reallocates an/* 
 * Reallocates a single object with a flexible
 * array ofmember objects using realloc().
 */
#define REALLOC_FLEX(pointer, stype, number, etype) \
    ((stype *)realloc(pointer, sizeof(stype) \
    + (number) * sizeof(etype)))

reallocates a single object with a flexible array member using realloc.
{code}

For example,

enum month { Jan, Feb, /* ... */ };
typetypedef enum month month;

typedef enumstruct date date;
struct date {
    unsigned char dd;
	  month mm;
	  unsigned yy;
};

typedef struct string string;
struct string {
	  size_t length;
	  char text[];
};

date *d, *week, *fortnight;
string *name;

d = MALLOC(date);
week = MALLOC_ARRAY(7, date);
name = MALLOC_FLEX(string, 16, char);
fortnight = CALLOC(14, date);
{code}

h2. Risk Assessment


|| Recommendation || Severity || Likelihood || Remediation Cost || Priority || Level ||
| MEM02-A | *1* (low) | *1* (unlikely) | *3* (low) | {color:green}{*}P3{*}{color} | {color:green}{*}L3{*}{color} |

h3. Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the [CERT website|https://www.kb.cert.org/vulnotes/bymetric?searchview&query=FIELD+KEYWORDS+contains+MEM02-A].

h2. References

\[[Summit 05|AA. C References#Summit 05]\] [Question 7.7|http://c-faq.com/malloc/cast.html], [Question 7.7b|http://c-faq.com/malloc/mallocnocast.html]

----
*[!CERT C Secure Coding Standard^button_arrow_left.png!|MEM01-A. Store a new value in pointers immediately after free()]**   *   *[!CERT C Secure Coding Standard^button_arrow_up.png!|08. Memory Management (MEM)]**  *     *[!CERT C Secure Coding Standard^button_arrow_right.png!|MEM03-A. Clear sensitive information stored in reusable resources returned for reuse]*