Potentially exploitable undefined behavior can result from any of the following:
- Using pointer arithmetic so that the result does not point into or just past the end of the same object
- Using such pointers in arithmetic expressions
- Dereferencing pointers that do not point to a valid object in memory
- Using an array subscript so that the resulting reference does not refer to an element in the array
The C Standard identifies the following distinct situations in which undefined behavior (UB) can arise as a result of invalid pointer operations:
UB | Description | Example Code |
---|---|---|
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that does not point into, or just beyond, the same array object. |
ARR30-C. Do not form or use out of bounds pointers or array subscripts
Addition or subtraction of a pointer into, or just beyond, an array object and an integer type produces a result that points just beyond the array object and is used as the operand of a unary |
An array subscript is out of range, even if an object is apparently accessible with the given subscript |
, for example, in the lvalue expression |
An attempt is made to access, or generate a pointer to just past, a flexible array member of a structure when the referenced object provides no elements for that array. |
ARR30-C. Do not form or use out of bounds pointers or array subscripts
The pointer passed to a library function array parameter does not have a value such that all address computations and object accesses are valid.
Anchor | ||||
---|---|---|---|---|
|
In this noncompliant code example, the function f()
attempts to validate the index
before using it as an offset to the statically allocated table
of integers. However, the function fails to reject negative index
values. When index
is less than zero, the behavior of the addition expression in the return statement of the function is undefined behavior 46. On some implementations, the addition alone can trigger a hardware trap. On other implementations, the addition may produce a result that when dereferenced can trigger triggers a hardware trap. Other implementations still may produce a dereferenceable pointer that points to an object distinct from table
. Using such a pointer to access the object may lead to information exposure or cause the wrong object to be modified.
...
Compliant Solution
Another , slightly simpler and potentially more efficient compliant solution is to use an unsigned type to avoid having to check for negative values while still rejecting out-of-bounds positive values of index
:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h> enum { TABLESIZE = 100 }; static int table[TABLESIZE]; int *f(size_t index) { if (index < TABLESIZE) { return table + index; } return NULL; } |
Anchor | ||||
---|---|---|---|---|
|
This noncompliant code example shows the flawed logic in the Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface that was exploited by the W32.Blaster.Worm. The error is that the while
loop in the GetMachineName()
function (used to extract the host name from a longer string) is not sufficiently bounded. When the character array pointed to by pwszTemp
does not contain the backslash character among the first MAX_COMPUTERNAME_LENGTH_FQDN + 1
elements, the final valid iteration of the loop will dereference past - the - end pointer, resulting in exploitable undefined behavior 47. In this case, the actual exploit allowed the attacker to inject executable code into a running program. Economic damage from the Blaster worm has been estimated to be at least $525 million [Pethia 2003].
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-119, "Failure to constrain operations Improper Restriction of Operations within the bounds Bounds of a memory bufferMemory Buffer," and CWE-121, "Stack-based buffer overflow."Buffer Overflow" [MITRE 2013].
Code Block | ||||
---|---|---|---|---|
| ||||
error_status_t _RemoteActivation( /* ... */, WCHAR *pwszObjectName, ... ) { *phr = GetServerPath( pwszObjectName, &pwszObjectName); /* ... */ } HRESULT GetServerPath( WCHAR *pwszPath, WCHAR **pwszServerPath ){ WCHAR *pwszFinalPath = pwszPath; WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1]; hr = GetMachineName(pwszPath, wszMachineName); *pwszServerPath = pwszFinalPath; } HRESULT GetMachineName( WCHAR *pwszPath, WCHAR wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1]) { pwszServerName = wszMachineName; LPWSTR pwszTemp = pwszPath + 2; while ( *pwszTemp != L'\\' ) *pwszServerName++ = *pwszTemp++; /* ... */ } |
...
In this compliant solution, the while
loop in the GetMachineName()
function is bounded so that the loop terminates when a backslash character is found, the null-termination character (L'\0'
) is discovered, or the end of the buffer is reached. Or, as coded, the while loop continues as long as each character is neither a backslash nor a null character and is not at the end of the buffer. This code does not result in a buffer overflow , even if no backslash character is found in wszMachineName
.
Code Block | ||||
---|---|---|---|---|
| ||||
HRESULT GetMachineName( wchar_t *pwszPath, wchar_t wszMachineName[MAX_COMPUTERNAME_LENGTH_FQDN+1]) { wchar_t *pwszServerName = wszMachineName; wchar_t *pwszTemp = pwszPath + 2; wchar_t *end_addr = pwszServerName + MAX_COMPUTERNAME_LENGTH_FQDN; while ( (*pwszTemp != L'\\') && && ((*pwszTemp != L'\0')) && && (pwszServerName < end_addr) ) { *pwszServerName++ = *pwszTemp++; } /* ... */ } |
This compliant solution is for illustrative purposes and is not necessarily the solution implemented by Microsoft. This particular solution may not be correct because there is no guarantee that a backslash is found.
Anchor | ||||
---|---|---|---|---|
|
Similarly Similar to the dereferencing-past-the-end-pointer error, the function insert_in_table()
in this noncompliant code example uses an otherwise valid index to attempt to store a value in an element just past the end of an array.
...
Third, the function violates INT30-C. Ensure that unsigned integer operations do not wrap when calculating the size of memory to allocate. This could lead to wrapping when 1 is , which could lead to wrapping when 1 is added to pos
or when size
is multiplied by the size of int
.
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-122, "Heap-based buffer overflowBuffer Overflow," and CWE-129, "Improper validation of array index."Validation of Array Index" [MITRE 2013].
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> static int *table = NULL; static size_t size = 0; int insert_in_table(size_t pos, int value) { if (size < pos) { int *tmp; size = pos + 1; tmp = (int *)realloc(table, sizeof(*table) * size); if (tmp == NULL) { return -1; /* Failure */ } table = tmp; } table[pos] = value; return 0; } |
...
This compliant solution correctly validates the index pos
by using the <=
relational operator, ensures the multiplication will not overflow, and avoids modifying size
until it has verified that the call to realloc()
was successful:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdint.h> #include <stdlib.h> static int *table = NULL; static size_t size = 0; int insert_in_table(size_t pos, int value) { if (size <= pos) { if int *tmp; ((SIZE_MAX - 1 < pos) || if ((pos + 1) > SIZE_MAX / sizeof(*table))) { return -1; } int *tmp = (int *)realloc(table, sizeof(*table) * (pos + 1)); if (tmp == NULL) { return -1; } /* Modify size only after realloc() succeeds */ size = pos + 1; table = tmp; } table[pos] = value; return 0; } |
Anchor | ||||
---|---|---|---|---|
|
This noncompliant code example declares matrix
to consist of 7 rows and 5 columns in row-major order. The function init_matrix
then iterates over all 35 elements in an attempt to initialize each to the value given by the function argument x
. However, because multidimensional arrays are declared in C in row-major order, and the function iterates over the elements in column-major order, and when the value of j
reaches the value COLS
during the first iteration of the outer loop, the function attempts to access element matrix[0][5]
. Because the type of matrix
is int[7][5]
, the j
subscript is out of range, and the access has undefined behavior 49.
Code Block | ||||
---|---|---|---|---|
| ||||
static const size_t COLS = 5; static const size_t ROWS = 7; #include <stddef.h> #define COLS 5 #define ROWS 7 static int matrix[ROWS][COLS]; void init_matrix(int x) { for (size_t i = 0; i < COLS; i++) { for (size_t j = 0; j < ROWS; j++) { matrix[i][j] = x; } } } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
static const size_t#include <stddef.h> #define COLS = 5; static const size_t #define ROWS = 7; static int matrix[ROWS][COLS]; void init_matrix(int x) { for (size_t i = 0; i < ROWS; i++) { for (size_t j = 0; j < COLS; j++) { matrix[i][j] = x; } } } |
Anchor | ||||
---|---|---|---|---|
|
In this noncompliant code example, the function find()
attempts to iterate over the elements of the flexible array member buf
, starting with the second element. However, because function g()
does not allocate any storage for the member, the expression first++
in find()
attempts to form a pointer just past the end of buf
when there are no elements. This attempt results in is undefined behavior 62. (See MSC21-C. Use robust loop termination conditions for more information.)
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> struct S { size_t len; char buf[]; /* Flexible array member */ }; const char *find(const struct S *s, int c) { const char *first = s->buf; const char *last = s->buf + s->len; while (first++ != last) { /* Undefined behavior */ if (*first == (unsigned char)c) { return first; } } return NULL; } void g(void) { struct S *s = (struct S *)malloc(sizeof(struct S)); if (s == NULL) { /* handleHandle error */ } s->len = 0; find(s, 'a'); } |
...
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> struct S { size_t len; char buf[]; /* Flexible array member */ }; const char *find(const struct S *s, int c) { const char *first = s->buf; const char *last = s->buf + s->len; while (first != last) { /* Avoid incrementing here */ if (*++first == (unsigned char)c) { return first; } } return NULL; } void g(void) { struct S *s = (struct S *)malloc(sizeof(struct S)); if (s == NULL) { /* handleHandle error */ } s->len = 0; find(s, 'a'); } |
Anchor |
---|
...
|
...
...
Null Pointer Arithmetic)
In this This noncompliant code example , the function f()
calls fread()
to read nitems
of type wchar_t
, each size
bytes in size, into an array of BUFSIZ
elements, wbuf
. However, the expression used to compute the value of nitems
fails to account for the fact that, unlike the size of char
, the size of wchar_t
may be greater than 1. Thus, fread()
could attempt to form pointers past the end of wbuf
and use them to assign values to nonexistent elements of the array. Such an attempt results in undefined behavior 109 . A likely manifestation of this undefined behavior is a classic buffer overflow, which is often exploitable by code injection attacks.
For a discussion of this programming error in the Common Weakness Enumeration database, see CWE-121, "Access of memory location after end of buffer," and CWE-805, "Buffer access with incorrect length value."
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h>
#include <stdio.h>
void f(FILE *file) {
wchar_t wbuf[BUFSIZ];
const size_t size = sizeof(*wbuf);
const size_t nitems = sizeof(wbuf);
size_t nread;
nread = fread(wbuf, size, nitems, file);
}
|
Compliant Solution
This compliant solution correctly computes the maximum number of items for fread()
to read from the file:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h>
#include <stdio.h>
void f(FILE *file) {
wchar_t wbuf[BUFSIZ];
const size_t size = sizeof(*wbuf);
const size_t nitems = sizeof(wbuf) / size;
size_t nread;
nread = fread(wbuf, size, nitems, file);
}
|
...
is similar to an Adobe Flash Player vulnerability that was first exploited in 2008. This code allocates a block of memory and initializes it with some data. The data does not belong at the beginning of the block, which is left uninitialized. Instead, it is placed offset
bytes within the block. The function ensures that the data fits within the allocated block.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <string.h>
#include <stdlib.h>
char *init_block(size_t block_size, size_t offset,
char *data, size_t data_size) {
char *buffer = malloc(block_size);
if (data_size > block_size || block_size - data_size < offset) {
/* Data won't fit in buffer, handle error */
}
memcpy(buffer + offset, data, data_size);
return buffer;
} |
This function fails to check if the allocation succeeds, which is a violation of ERR33-C. Detect and handle standard library errors. If the allocation fails, then malloc()
returns a null pointer. The null pointer is added to offset
and passed as the destination argument to memcpy()
. Because a null pointer does not point to a valid object, the result of the pointer arithmetic is undefined behavior 46.
An attacker who can supply the arguments to this function can exploit it to execute arbitrary code. This can be accomplished by providing an overly large value for block_size
, which causes malloc()
to fail and return a null pointer. The offset
argument will then serve as the destination address to the call to memcpy()
. The attacker can specify the data
and data_size
arguments to provide the address and length of the address, respectively, that the attacker wishes to write into the memory referenced by offset
. The overall result is that the call to memcpy()
can be exploited by an attacker to overwrite an arbitrary memory location with an attacker-supplied address, typically resulting in arbitrary code execution.
Compliant Solution (Null Pointer Arithmetic)
This compliant solution ensures that the call to malloc()
succeeds:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <string.h>
#include <stdlib.h>
char *init_block(size_t block_size, size_t offset,
char *data, size_t data_size) {
char *buffer = malloc(block_size);
if (NULL == buffer) {
/* Handle error |
...
Noncompliant Code Example (Improper Scaling)
In this noncompliant example, the integer skip
is scaled when added to the pointer s
and may point outside the bounds of the object referenced by s
:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h> #include <stdlib.h> #include <string.h> struct big { unsigned long long ull_1; unsigned long long ull_2; unsigned long long ull_3; int si_4; int si_5; }; int g(void) { size_t skip = offsetof(struct big, ull_2); struct big *s = (struct big *)malloc(4 * sizeof(struct big)); if (s == NULL) { return -1; /* Failure */ } if memset(sdata_size + skip, 0, sizeof(struct big) - skip); return 0> block_size || block_size - data_size < offset) { /* Data won't fit in buffer, handle error */ } memcpy(buffer + offset, data, data_size); return buffer; } |
Compliant Solution
This compliant solution does not scale skip
:
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h>
#include <stdlib.h>
#include <string.h>
struct big {
unsigned long long ull_1;
unsigned long long ull_2;
unsigned long long ull_3;
int si_4;
int si_5;
};
int g(void) {
size_t skip = offsetof(struct big, ull_2);
struct big *s = (struct big *)malloc(4 * sizeof(struct big));
if (s == NULL) {
return -1; /* Failure */
}
memset(((unsigned char *)s) + skip, 0,
sizeof(struct big) - skip);
return 0;
} |
Risk Assessment
Accessing out-of-range pointers or array subscripts for writing can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process or unintended information disclosure.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR30-C | High | Likely | High | P9 | L2 |
Automated Detection
...
Tool
...
Version
...
Checker
...
Description
...
...
Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern:
for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\';
*pwszTemp++;)
In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax
...
...
ARRAY_VS_SINGLETON
NEGATIVE_RETURNS
OVERRUN_STATIC OVERRUN_DYNAMIC
...
Can detect the access of memory past the end of a memory buffer/array
Can detect when the loop bound may become negative
Can detect the out-of-bound read/write to array allocated statically or dynamically
Risk Assessment
Writing to out-of-range pointers or array subscripts can result in a buffer overflow and the execution of arbitrary code with the permissions of the vulnerable process. Reading from out-of-range pointers or array subscripts can result in unintended information disclosure.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR30-C | High | Likely | High | P9 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| array-index-range | Partially checked Can detect all accesses to invalid pointers as well as array index out-of-bounds accesses and prove their absence. This rule is only partially checked as invalid but unused pointers may not be reported. | ||||||
Axivion Bauhaus Suite |
| CertC-ARR30 | Can detect out-of-bound access to array / buffer | ||||||
CodeSonar |
| LANG.MEM.BO | Buffer overrun | ||||||
Compass/ROSE | Could be configured to catch violations of this rule. The way to catch the noncompliant code example is to first hunt for example code that follows this pattern: for (LPWSTR pwszTemp = pwszPath + 2; *pwszTemp != L'\\'; In particular, the iteration variable is a pointer, it gets incremented, and the loop condition does not set an upper bound on the pointer. Once this case is handled, ROSE can handle cases like the real noncompliant code example, which is effectively the same semantics, just different syntax | ||||||||
| OVERRUN NEGATIVE_RETURNS ARRAY_VS_SINGLETON BUFFER_SIZE | Can detect the access of memory past the end of a memory buffer/array Can detect when the loop bound may become negative Can detect the out-of-bound read/write to array allocated statically or dynamically Can detect buffer overflows | |||||||
Cppcheck |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||
Cppcheck Premium |
| arrayIndexOutOfBounds, outOfBounds, negativeIndex, arrayIndexThenCheck, arrayIndexOutOfBoundsCond, possibleBufferAccessOutOfBounds premium-cert-arr30-c | Context sensitive analysis of array index, pointers, etc. Array index out of bounds Buffer overflow when calling various functions memset,strcpy,.. Warns about condition (a[i] == 0 && i < unknown_value) and recommends that (i < unknown_value && a[i] == 0) is used instead Detects unsafe code when array is accessed before/after it is tested if the array index is out of bounds | ||||||
Helix QAC |
| C2840 DF2820, DF2821, DF2822, DF2823, DF2840, DF2841, DF2842, DF2843, DF2930, DF2931, DF2932, DF2933, DF2935, DF2936, DF2937, DF2938, DF2950, DF2951, DF2952, DF2953 | |||||||
Klocwork |
| ABV.GENERAL | |||||||
LDRA tool suite |
| 45 D, 47 S, 476 S, 489 S, 64 X, 66 X, 68 X, 69 X, 70 X, 71 X, 79 X | Partially implemented | ||||||
Parasoft C/C++test |
| CERT_C-ARR30-a | Avoid accessing arrays out of bounds | ||||||
Parasoft Insure++ | Runtime analysis | ||||||||
PC-lint Plus |
| 413, 415, 416, 613, 661, 662, 676 | Fully supported | ||||||
Polyspace Bug Finder |
| Checks for:
Rule partially covered. | |||||||
PVS-Studio |
| V512, V557, V582, V594, V643, V645, V694, V1086 | |||||||
RuleChecker |
| array-index-range-constant return-reference-local | Partially checked | ||||||
TrustInSoft Analyzer |
| index_in_address | Exhaustively verified (see one compliant and one non-compliant example). |
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the XNU kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
ISO/IEC TR 24772:2013 | Arithmetic Wrap-Around Error [FIF] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-119, Improper Restriction of Operations within the Bounds of a Memory Buffer | 2017-05-18: CERT: Rule subset of CWE |
CWE 2.11 | CWE-123, Write-what-where Condition | 2017-05-18: CERT: Partial overlap |
CWE 2.11 | CWE-125, Out-of-bounds Read | 2017-05-18: CERT: Partial overlap |
MISRA C:2012 | Rule 18.1 (required) | Prior to 2018-01-12: CERT: Unspecified Relationship |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-119 and ARR30-C
Independent( ARR30-C, ARR38-C, ARR32-C, INT30-C, INT31-C, EXP39-C, EXP33-C, FIO37-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-119 = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, ARR38-C) = Ø
CWE-394 and ARR30-C
Intersection( ARR30-C, CWE-394) = Ø
CWE-394 deals with potentially-invalid function return values. Which may be used as an (invalid) array index, but validating the return value is a separate operation.
CWE-125 and ARR30-C
Independent( ARR30-C, ARR38-C, EXP39-C, INT30-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
CWE-125 = Subset( CWE-119) = Union( ARR30-C, ARR38-C)
Intersection( ARR30-C, CWE-125) =
- Reading from an out-of-bounds array index, or off the end of an array
ARR30-C – CWE-125 =
- Writing to an out-of-bounds array index, or off the end of an array
CWE-125 – ARR30-C =
- Reading beyond a non-array buffer
- Using a library function to achieve an out-of-bounds read.
CWE-123 and ARR30-C
Independent(ARR30-C, ARR38-C)
STR31-C = Subset( Union( ARR30-C, ARR38-C))
STR32-C = Subset( ARR38-C)
Intersection( CWE-123, ARR30-C) =
- Write of arbitrary value to arbitrary (probably invalid) array index
ARR30-C – CWE-123 =
- Read of value from arbitrary (probably invalid) array index
- Construction of invalid index (pointer arithmetic)
CWE-123 – ARR30-C =
- Arbitrary writes that do not involve directly constructing an invalid array index
CWE-129 and ARR30-C
Independent( ARR30-C, ARR32-C, INT31-C, INT32-C)
ARR30-C = Union( CWE-129, list), where list =
- Dereferencing an out-of-bounds array index, where index is a trusted value
- Forming an out-of-bounds array index, without dereferencing it, whether or not index is a trusted value. (This excludes the array’s TOOFAR index, which is one past the final element; this behavior is well-defined in C11.)
CWE-120 and ARR30-C
See CWE-120 and MEM35-C
CWE-122 and ARR30-C
Intersection( ARR30-C, CWE-122) = Ø
CWE-122 specifically addresses buffer overflows on the heap operations, which occur in the context of string-copying. ARR30 specifically addresses improper creation or references of array indices. Which might happen as part of a heap buffer overflow, but is on a lower programming level.
CWE-20 and ARR30-C
See CWE-20 and ERR34-C
CWE-687 and ARR30-C
Intersection( CWE-687, ARR30-C) = Ø
ARR30-C is about invalid array indices which are created through pointer arithmetic, and dereferenced through an operator (* or []). Neither involve function calls, thus CWE-687 does not apply.
CWE-786 and ARR30-C
ARR30-C = Union( CWE-786, list) where list =
- Access of memory location after end of buffer
- Construction of invalid arry reference (pointer). This does not include an out-of-bounds array index (an integer).
CWE-789 and ARR30-C
Intersection( CWE-789, ARR30-C) = Ø
CWE-789 is about allocating memory, not array subscripting
Bibliography
...
...
ABV.ITERATOR SV.TAINTED.LOOP_BOUND
...
47 S
476 S
64 X
68 X
69 X
...
Related Vulnerabilities
CVE-2008-1517 results from a violation of this rule. Before Mac OSX version 10.5.7, the xnu kernel accessed an array at an unverified user-input index, allowing an attacker to execute arbitrary code by passing an index greater than the length of the array and therefore accessing outside memory [xorl 2009].
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
ISO/IEC TR 24772:2013 | Arithmetic Wrap-around Error [FIF] Unchecked Array Indexing [XYZ] |
ISO/IEC TS 17961 | Forming or using out-of-bounds pointers or array subscripts [invptr] |
MITRE CWE | CWE-119, Failure to constrain operations within the bounds of a memory buffer CWE-121, Stack-based buffer overflow CWE-122, Heap-based buffer overflow CWE-129, Unchecked array indexing CWE-788, Access of memory location after end of buffer CWE-805, Buffer access with incorrect length value |
Bibliography
] | Chapter 1, "Running with Scissors" |
[Viega 2005] | Section 5.2.13, "Unchecked Array Indexing" |
[xorl 2009 ] | "CVE-2008-1517: Apple Mac OS X (XNU) Missing Array Index Validation" |
...
...