SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 33

changes.mady.by.user David Keaton

Saved on

compared with

New Version Current

changes.mady.by.user Jill Britton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Avoid excessive stack allocations, particularly in situations where the growth of the stack can be controlled or influenced by an attacker.

Non-Compliant Code Example

See INT04-C. Enforce limits on integer values originating from tainted sources for more information on preventing attacker-controlled integers from exhausting memory.

Noncompliant Code Example

The C Standard includes C99 includes support for variable length arrays (VLAs). If the array length is derived from an untrusted data source, an attacker could can cause the process to perform an excessive allocation on the stack.

This non-compliant noncompliant code example temporarily stores data read from a source file into a buffer. The buffer is allocated on the stack as a variable length array a VLA of size bufsize. If bufsize can be controlled by a malicious user, this code could can be exploited to cause a denial-of-service attack.:

Code Block
bgColor#FFcccc
langc

int copy_file(FILE *src, FILE *dst, size_t bufsize) {
  char buf[bufsize];

  while (fgets(buf, bufsize, src)) {
    if (fputs(buf, dst); == EOF) {
      /* Handle error */
    }
  }

  return 0;
}

...

The   BSD   extension   function  {{alloca()}}  behaves   in   a   similar   fashion   to   VLAs;   its   use   is   not   recommended  \[ [Loosemore  07|AA. C References#Loosemore 07]\] 2007].
Compliant Solution
This compliant solution replaces the variable length array the VLA with a call to malloc(). If malloc() fails, the return value can be checked to prevent the program from terminating abnormally.
 Code Block
bgColor#ccccff
langc

int copy_file(FILE *src, FILE *dst, size_t bufsize) {
  if (bufsize == 0) {
    /* Handle error */
  }
  char *buf = (char *)malloc(bufsize);
  if (!buf) {
    /* Handle return -1;error */
  }

  while (fgets(buf, bufsize, src)) {
    if (fputs(buf, dst);) == EOF) {
      /* Handle error */
    }
  }
  /* ... */
  free(buf);
  buf = NULL;

  return 0;
}

...
Noncompliant Code Example
Recursion can also lead to large stack allocations. Recursive functions must ensures they ensure that they do not exhaust the stack due to excessive stack as a result of excessive recursions.
This non-compliant noncompliant implementation of the Fibonacci function uses recursion.:
 Code Block
bgColor#FFcccc
langc

unsigned long fib1(unsigned int n) {
  if (n == 0) {
    return 0;
  }
  else if (n == 1 || n == 2) {
    return 1;
  }
  else {
    return fib1(n-1) + fib1(n-2);
  }
}

The stack space needed grows exponentially The amount of stack space needed grows linearly with respect to the parameter n. Large values of n have been shown to cause abnormal program termination.
Compliant Solution
This implementation of the Fibonacci functions eliminates the use of recursion.:
 Code Block
bgColor#ccccff
langc

unsigned long fib2(unsigned int n) {
  if (n == 0) {
    return 0;
  }
  else if (n == 1 || n == 2) {
    return 1;
  }

  unsigned long prev = 1;
  unsigned long cur = 1;

  unsigned int i;

  for (i = 3; i <= n; i++) {
    unsigned long tmp = cur;
    cur = cur + prev;
    prev = tmp;
  }

  return cur;
}

Because there is no recursion, the amount of stack space needed does not depend on the parameter n, greatly reducing the risk of stack overflow.
Risk Assessment
Program stacks are frequently used for convenient temporary storage , because allocated memory is automatically freed when the function returns. Generally, the operating system will grow grows the stack as needed. However, growing the stack can fail due to a fail because of a lack of memory or collision a collision with other allocated areas of the address space (depending on the architecture). When the stack is exhausted, the operating system may can terminate the program abnormally. This behavior can be exploited by , and an attacker to can cause a denial-of-service attack in situations where the attacker can attack if he or she can control or influence the amount of stack memory allocated.
Recommendation
Severity
Likelihood
Remediation Cost
Priority
Level
MEM05-
A 
 1 (low) 
 1 (unlikely) 
 2 (medium) 
 P2 
 L3 
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Automated Detection
...
C
Medium
Likely
Medium
P12
L1
Automated Detection
Tool
Version
Checker
Description
CodeSonar
 Include Page
CodeSonar_V
CodeSonar_V
IO.TAINT.SIZE
MISC.MEM.SIZE.BAD
Tainted Allocation Size
Unreasonable Size Argument
Coverity
 Include Page
Coverity_V
Coverity_V
STACK_USE
Can help detect single stack allocations that are dangerously large, although it will not detect excessive stack use resulting from recursion
...
Helix QAC
 Include Page
Helix QAC_V
Helix QAC_V
C1051, C1520, C3670
Klocwork
 Include Page
Klocwork_V
Klocwork_V
MISRA.FUNC.RECUR
LDRA tool suite
 Include Page
LDRA_V
LDRA_V
44 SEnhanced Enforcement
Parasoft C/C++test
 Include Page
Parasoft_V
Parasoft_V
CERT_C-MEM05-a
CERT_C-MEM05-b
Do not use recursion
Ensure the size of the variable length array is in valid range
PC-lint Plus
 Include Page
PC-lint Plus_V
PC-lint Plus_V
9035, 9070
Partially supported: reports use of variable length arrays and recursion
Polyspace Bug Finder
 Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V
CERT C: Rec. MEM05-C

Checks for:
  • Direct or indirect function call to itself
  • Variable length array with nonpositive size
  • Tainted size of variable length array
Rec. partially covered.
PVS-Studio
 Include Page
PVS-Studio_V
PVS-Studio_V
V505
Related Vulnerabilities
Stack overflow has been implicated in Toyota unintended acceleration cases, where Camry and other Toyota vehicles accelerated unexpectedly.  Michael Barr testified at the trial that a stack overflow could corrupt the critical variables of the operating system, because they were located in memory adjacent to the top of the stack [Samek 2014].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding StandardVOID MEM05-CPP. Avoid large stack allocations
ISO/IEC TR 24772:2013Recursion [GDL]
MISRA C:2012Rule 17.2 (required)
Bibliography
[Loosemore 2007]Section 3.2.5, "Automatic Storage with Variable Size"
[Samek 2014]
Are We Shooting Ourselves in the Foot with Stack Overflow?
Monday, February 17th, 2014 by Miro Samek
[Seacord 2013]Chapter 4, "Dynamic Memory Management"

...
Image Added Image Added Image Added
References
 Wiki Markup
\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.7.5.2, "Array declarators", Section 7.20.3, "Memory management functions"
\[[Loosemore 07|AA. C References#Loosemore 07]\] [Section 3.2.5, "Automatic Storage with Variable Size"|http://www.gnu.org/software/libc/manual/html_mono/libc.html#Variable-Size-Automatic]
\[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management"
\[[van Sprundel 06|http://ilja.netric.org/files/Unusual%20bugs.pdf]\] "Stack Overflow"
MEM04-A. Do not make assumptions about the result of allocating 0 bytes      08. Memory Management (MEM)       MEM07-A. Ensure that size arguments to calloc() do not result in an integer overflow