Floating-point numbers can take on two classes of exceptional values; infinity and NaN (not-a-number). These values are returned as the result of exceptional or otherwise unresolvable floating-point operations. (See also FLP32-C. Prevent or detect domain and range errors in math functions.) Additionally, they can be directly input by a user by scanf or similar functions. Failure to detect and handle such values can result in undefined behavior.
NaN values are particularly problematic because the expression NaN == NaN (for every possible value of NaN) returns false. Any comparisons made with NaN as one of the arguments returns false, and all arithmetic functions on NaNs simply propagate them through the code. Hence, a NaN entered in one location in the code and not properly handled could potentially cause problems in other, more distant sections.
...
Noncompliant Code Example
The following This noncompliant code example accepts user data without first validating it:
...
This can be a problem if an invalid value is entered for val and subsequently used for calculations or as control values. The user could, for example, input the strings "INF", "INFINITY", or "NAN" (case insensitive) on the command line, which would be parsed by scanf into the floating-point representations of infinity and NaN. All subsequent calculations using these values would be invalid, possibly crashing the program and enabling a deniala denial-of-service attack.
Here, for example, entering "nan" for val would force currentBalance to also equal "nan", corrupting its value. If this value is used elsewhere for calculations, every resulting value would also be a NaN, possibly destroying important data.
...
The following table shows the value of currentBalance returned for various arguments:
Input |
|
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As this example demonstrates, the user can enter the exceptional values infinity and NaN, as well as force a float's value to be infinite, by entering out-of-range floats. These entries subsequently corrupt the value of currentBalance. So by entering exceptional floats, an attacker can corrupt the program data, possibly leading to a crash.
Compliant Solution
The following code This compliant solution first validates the input float before using it. The value is tested to ensure that it is neither an infinity nor a NaN.
| Code Block | ||||
|---|---|---|---|---|
| ||||
float currentBalance; /* User's cash balance */
void doDeposit() {
float val;
scanf("%f", &val);
if (isinf(val)) {
/* handleHandle infinity error */
}
if (isnan(val)) {
/* handleHandle NaN error */
}
if (val >= MAX_VALUE - currentBalance) {
/* Handle range error */
}
currentBalance += val;
}
|
...
Inappropriate floating-point inputs can result in invalid calculations and unexpected results, possibly leading to crashing and providing a deniala denial-of-service opportunityservice opportunity.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
FLP04-C |
Low |
Probable |
High | P2 | L3 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported: Astrée reports potential runtime error resulting from missing checks for exceptional values. |
Related Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this recommendation on the CERT website.
Related Guidelines
| SEI CERT C++ |
| Coding Standard | FLP04-CPP. Check floating-point inputs for exceptional values |
| CERT Oracle Secure Coding Standard for Java | FLP06-J. Check floating-point inputs for exceptional values |
Bibliography
...
...