SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 39

changes.mady.by.user Pamela Curtis

Saved on

compared with

New Version Current

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. Typically, calloc() function implementations multiply these arguments together to determine how much memory to allocate. Historically, some implementations failed to check if this multiplication could result in an integer overflowwhether out-of-bounds results silently wrapped [RUS-CERT Advisory 2002-08:02]. If the result of multiplying the number of elements to allocate and the storage size cannot be represented as a size_twraps, less memory is allocated than was requested. As a result, it is necessary to ensure that these arguments, when multiplied, do not result in an integer overflow.

According to RUS-CERT Advisory 2002-08:02, the following C/C++ implementations of calloc() are defective:

  • GNU libc 2.2.5
  • Microsoft Visual C++ versions 4.0 and 6.0 (including the C++ new allocator)
  • GNU C++ Compiler (GCC versions 2.95, 3.0, and 3.1.1)
  • HP-UX 11 implementations prior to 2004-01-14
  • dietlibc CVS implementations prior to 2002-08-05
  • libgcrypt 1.1.10 (GNU Crypto Library)

Non-Compliant Code Example

wrap.

Modern implementations of the C standard library should check for wrap. If the calloc() function implemented by the libraries used for a particular implementation properly handles unsigned integer wrapping (in conformance with INT30-C. Ensure that unsigned integer operations do not wrap) when multiplying the number of elements to allocate and the storage size, that is sufficient to comply with this recommendation and no further action is required.

Noncompliant Code Example

In this noncompliant In this example, the user-defined function get_size() (not shown) is used to calculate the size requirements for a dynamic array of long int that is assigned to the variable num_elements. When calloc() is called to allocate the buffer, num_elements is multiplied by sizeof(long) to compute the overall size requirements. If the number of elements multiplied by the size cannot be represented as a size_t, then calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer an overflow may occur.

Code Block
bgColor#FFCCCC
langc

size_t num_elements = get_size();

long *buffer = (long *)calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* handleHandle error condition */
}
/* ... */
free(buffer);
buffer = NULL;

Compliant Solution

In this compliant solution, the multiplication of the two arguments num_elements and sizeof(long) is evaluated are checked before the call to calloc() to determine if an overflow will occur. The multsize_t() function sets errno to a non-zero value if the multiplication operation overflows.wrapping will occur:

Code Block
bgColor#ccccff
langc

long *buffer;
size_t num_elements = calc_size();
(void) multsize_t
if (num_elements,  > SIZE_MAX/sizeof(long));
if (errno) {
  /* handleHandle error condition */
}
buffer = (long *)calloc(num_elements, sizeof(long));
if (buffer == NULL) {
  /* handleHandle error condition */
}

Note that the maximum amount of allocatable memory is typically limited to a value less than SIZE_MAX (the maximum value of size_t). Always check the return value from a call to any memory allocation function in compliance with ERR33-C. Detect and handle standard library errors.

Risk Assessment

Integer overflow Unsigned integer wrapping in memory allocation functions can lead to buffer overflows that can be exploited by an attacker to execute arbitrary code with the permissions of the vulnerable process. Most implementations of calloc() now check to make sure integer overflow silent wrapping does not occur, but it is not always safe to assume the version of calloc() being used is secure, particularly when using dynamically linked libraries.

Rule

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MEM07-

A

3 (high)

1 (unlikely)

1 (high)

P3

L3

Comments

...

C

High

Unlikely

Medium

P6

L2

Automated Detection

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V

Supported, but no explicit checker
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
ALLOC.SIZE.MULOFLOWMultiplication overflow of allocation size
Compass/ROSE




Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-MEM07-a

The validity of values passed to library functions shall be checked

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Related Guidelines

SEI CERT C++ Coding StandardVOID MEM07-CPP. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t
MITRE CWECWE-190, Integer overflow (wrap or wraparound)
CWE-128, Wrap-around error

Bibliography

[RUS-CERT]Advisory 2002-08:02, "Flaw in calloc and Similar Routines"
[Seacord 2013]Chapter 4, "Dynamic Memory Management"
[Secunia]Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability"


...

Image Added Image Added Image Added Wiki Markup\[[ISO/IEC 9899-1999|AA. C References#ISO/IEC 9899-1999]\] Section 7.18.3, "Limits of other integer types" \[[Seacord 05|AA. C References#Seacord 05]\] Chapter 4, "Dynamic Memory Management" \[[RUS-CERT Advisory 2002-08:02|http://cert.uni-stuttgart.de/advisories/calloc.php]\] \[[Secunia Advisory SA10635|http://secunia.com/advisories/10635/]\]