SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 25

changes.mady.by.user Justin Pincar

Saved on

compared with

New Version Current

changes.mady.by.user Yozo TODA

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: parens are needed to "increment the value", pointed out by someone reading japanese version.

Wiki MarkupMany functions accept pointers as arguments. If the function dereferences an invalid pointer (see [as in EXP34-C. Ensure a null pointer is not dereferenced]) or reads or writes to a pointer that does not refer to an object, the results are [undefined|BB. Definitions#undefined]. Typically, the program will terminate abnormally when an invalid pointer is dereferenced, but it is possible, for an invalid pointer to be dereferenced, and its memory changed, without abnormal termination \[[Jack 07|AA. C References#Jack 07]\]. Such programs can be difficult to debug because of the difficulty in determining if a pointer is Do not dereference null pointers) or reads or writes to a pointer that does not refer to an object, the results are undefined. Typically, the program will terminate abnormally when an invalid pointer is dereferenced, but it is possible for an invalid pointer to be dereferenced and its memory changed without abnormal termination [Jack 2007]. Such programs can be difficult to debug because of the difficulty in determining if a pointer is valid.

One way to eliminate invalid pointers is to define a function that accepts a pointer argument and indicates whether the or not the pointer is valid or not, for some definition of valid. For example, the following function declares any pointer to be valid except NULL.:

Code Block

int valid(void *ptr) {
  return (ptr != NULL);
}

...

The following code relies on the _etext address, defined by the loader as the first address following the program text on many platforms, including AIX, Linux, QNX, IRIX, and Solaris. It is not POSIX-compliant, nor is it available on Windows.

Code Block

#include <stdio.h>
#include <stdlib.h>

int valid(void *p) {
  extern char _etext;
  return (p != NULL) && ((char*) p > &_etext);
}

int global;

int main(void) {
  int local;

  printf("pointer to local var valid? %d\n", valid(&local));
  printf("pointer to static var valid? %d\n", valid(&global));
  printf("pointer to function valid? %d\n", valid((void *)main));

  int *p = (int *) malloc(sizeof(int));
  printf("pointer to heap valid? %d\n", valid(p));
  printf("pointer to end of allocated heap valid? %d\n", valid(++p));
  free(--p);
  printf("pointer to freed heap valid? %d\n", valid(p));
  printf("null pointer valid? %d\n", valid(NULL));

  return 0;
}

On a Linux platform, this program produces the following output:

Code Block

pointer to local var valid? 1
pointer to static var valid? 1
pointer to function valid? 0
pointer to heap valid? 1
pointer to end of allocated heap valid? 1
pointer to freed heap valid? 1
null pointer valid? 0

The valid() function does not guarantee validity (; it only identifies null pointers and pointers to functions as invalid). However, but it can be used to catch a substantial number of problems that might otherwise go undetected.

...

In this noncompliant code example, the incr() function increments the value referenced by its argument. It also ensures that its argument is not a null pointer. But the pointer could still be invalid, causing the function to corrupt memory or terminate abnormally.

Code Block
bgColor#FFCCCC
langc

void incr(int *intptr) {
  if (intptr == NULL) {
    /* Handle error */
  }
  (*intptr)++;
}

Compliant Solution

This incr() function can be improved by using the valid() function. The resulting implementation is less likely to dereference an invalid pointer or write to memory that is outside the bounds of a valid object.

Code Block
bgColor#ccccff
langc

void incr(int *intptr) {
  if (!valid(intptr)) {
    /* Handle error */
  }
  (*intptr)++;
}

The valid() function can be implementation dependent and perform additional, platform-dependent checks when possible.

Compliant Solution (assert)

Because invalid pointers are often indicative of a defect in the program, the assert() macro can be used to terminate immediately if an invalid pointer is discovered (see MSC11-C. Incorporate diagnostic tests using assertions).

...

bgColor#ccccff

...

In the worst case, the valid() function may only perform the same null-pointer check as the noncompliant code example. However, on platforms where additional pointer validation is possible, the use of a valid() function can provide checks.

Risk Assessment

A pointer validation function can be used to detect and prevent operations from being performed on some invalid pointers.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM10-C

high

High

unlikely

Unlikely

high

High

P3

L3

Automated Detection

Tool

Version

Checker

Description

LDRA tool suite
Include Page
LDRA_V
LDRA_V
159 SEnhanced enforcement

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

...

Related Guidelines

SEI CERT C++

...

Coding Standard

...

VOID MEM10-CPP. Define and use a pointer validation function

...

MITRE CWE

CWE-20, Improper Input Validation
CWE-79, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-89, Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-91, XML Injection (aka Blind XPath Injection)
CWE-94, Improper Control of Generation of Code ('Code Injection')
CWE-114, Process Control
CWE-601, URL Redirection to Untrusted Site ('Open Redirect')

Bibliography

[Jack 2007]
[van Sprundel 2006]


...

Image Added Image Added

References

Wiki Markup
\[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.3.2.3, "Pointers"
\[[Jack 07|AA. C References#Jack 07]\]
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 20|http://cwe.mitre.org/data/definitions/20.html], "Insufficient Input Validation"
\[[van Sprundel 06|AA. C References#van Sprundel 06]\]

MEM09-C. Do not assume memory allocation routines initialize memory      08. Memory Management (MEM)       Image Modified