Variable - length arrays (VLAs), a conditionally supported language feature, are essentially the same as traditional C arrays , the major difference being except that they are declared with a size that is not a constant integer expression . A variable-and can be declared only at block scope or function prototype scope and no linkage. When supported, a variable length array can be declared as follows:
Code Block |
---|
{ /* Block scope */ char vla[ssize]; } |
where the integer expression size
and the declaration of vla
are both evaluated at runtime. If the size argument supplied to a variable length array is not a positive integer value, the behavior is undefined. (See undefined behavior 72.) Additionally, if the magnitude of the argument is excessive, the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 2006]. The programmer must ensure that size arguments to variable length arrays, especially those derived from untrusted data, are in a valid range.
Because variable length arrays are a conditionally supported feature of C11, their use in portable code should be guarded by testing the value of the macro __STDC_NO_VLA__
. Implementations that do not support variable length arrays indicate it by setting __STDC_NO_VLA__
to the integer constant 1 where the integer {{s}} and the declaration are both evaluated at runtime. If a size argument supplied to a variable-length array is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data \[[Griffiths 06|AA. C References#Griffiths 06]\]. The programmer must ensure that size arguments to variable-length arrays are valid and have not been corrupted as the result of an exceptional integer condition. Wiki Markup
Noncompliant Code Example
In this noncompliant code example, a variable-a variable length array of size size
s
is declared. The size
s
is declared as size_t
in compliance with INT01-C. Use rsize_t or size_t for all integer values representing the size of an object.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stddef.h> extern void do_work(int *array, size_t size); void func(size_t ssize) { int vla[ssize]; /* ... */ } /* ... */ func(do_work(vla, size); /* ... */} |
However, it is unclear whether the value of s
is a valid size
argument. Depending on how variable-length arrays are implemented, the size may be interpreted as a negative value or a very positive value. The either case, a security vulnerability may occur.
For example, for GCC 4.2.2 on the Debian GNU/Linux Intel 32-bit platform, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.
may be zero or excessive, potentially giving rise to a security vulnerability.
Compliant
...
Solution
This compliant solution ensures the size
argument s
used to allocate vla
is in a valid range (between 1 and a programmer-defined maximum); otherwise, it uses an algorithm that relies on dynamic memory allocation. The solution also avoids unsigned integer wrapping that, given a sufficiently large value of size
, would cause malloc
to allocate insufficient storage for the array.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdint.h> #include <stdlib.h> enum { MAX_ARRAY = 1024 }; extern void do_work(int *array, size_t size); void func(size_t s size) { if (0 == size || SIZE_MAX / sizeof(int) < size) { /* Handle error */ return; } if (ssize < MAX_ARRAY && s != 0) ) { int vla[size]; do_work(vla, size); } else { int *array = (int *)malloc(size * sizeof(int)); if (array == NULL) { /* Handle error */ } do_work(array, size); free(array); } } |
Noncompliant Code Example (sizeof
)
The following noncompliant code example defines A
to be a variable length array and then uses the sizeof
operator to compute its size at runtime. When the function is called with an argument greater than SIZE_MAX / (N1 * sizeof (int))
, the runtime sizeof
expression may wrap around, yielding a result that is smaller than the mathematical product N1 * n2 * sizeof (int)
. The call to malloc()
, when successful, will then allocate storage for fewer than n2
elements of the array, causing one or more of the final memset()
calls in the for
loop to write past the end of that storage.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdlib.h> #include <string.h> enum { N1 = 4096 }; void *func(size_t n2) { typedef int A[n2][N1]; A *array = malloc(sizeof(A)); if (!array)vla[s]; /* ... */ } else { /* Handle Errorerror */ return NULL; } for (size_t i = 0; i != n2; ++i) { memset(array[i], 0, N1 * sizeof(int)); } return array; /* ... */ func(size); /* ... */ } |
Furthermore, this code also violates ARR39-C. Do not add or subtract a scaled integer to a pointer, where array
is a pointer to the two-dimensional array, where it should really be a pointer to the latter dimension instead. This means that the memset()
call does out-of-bounds writes on all of its invocations except the first.
Compliant Solution (sizeof
)
This compliant solution prevents sizeof
wrapping by detecting the condition before it occurs and avoiding the subsequent computation when the condition is detected. The code also uses an additional typedef to fix the type of array
so that memset()
never writes past the two-dimensional array.
Code Block | ||||
---|---|---|---|---|
| ||||
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
enum { N1 = 4096 };
void *func(size_t n2) {
if (n2 > SIZE_MAX / (N1 * sizeof(int))) {
/* Prevent sizeof wrapping */
return NULL;
}
typedef int A1[N1];
typedef A1 A[n2];
A1 *array = (A1*) malloc(sizeof(A));
if (!array) {
/* Handle error */
return NULL;
}
for (size_t i = 0; i != n2; ++i) {
memset(array[i], 0, N1 * sizeof(int));
}
return array;
}
|
Implementation Details
Microsoft
Variable length arrays are not supported by Microsoft compilers.
GCC
Newer versions of GCC have incorporated variable length arrays, but do not yet claim full C99 conformance. As such, variable length arrays should only be used on GCC with great care.
On an example Debian GNU/Linux Intel 32-bit test machine with GCC v. 4.2.2, the value of a variable length array's size is interpreted as a 32-bit signed integer. Passing in a negative number for the size will likely cause the program stack to become corrupted, and passing in a large positive number may cause a terminal stack overflow. It is important to note that this information may become outdated as GCC evolves.
Risk Assessment
Failure to properly specify the size of a a variable length array may allow arbitrary code execution or result in stack exhaustion.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
ARR32-C |
High |
Probable |
High | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| ALLOC.SIZE.IOFLOW | Integer Overflow of Allocation Size | ||||||
Coverity |
| REVERSE_NEGATIVE | Fully implemented | ||||||
Cppcheck |
| negativeArraySize | Context sensitive analysis | ||||||
Cppcheck Premium |
| negativeArraySize premium-cert-arr32-c | Context sensitive analysis Will warn only if given size is negative | ||||||
Helix QAC |
| C1051 | |||||||
Klocwork |
| MISRA.ARRAY.VAR_LENGTH.2012 | |||||||
LDRA tool suite |
| 621 S | Enhanced enforcement | ||||||
Parasoft C/C++test |
| CERT_C-ARR32-a | Ensure the size of the variable length array is in valid range | ||||||
PC-lint Plus |
| 9035 | Assistance provided | ||||||
Polyspace Bug Finder |
| Checks for:
Rule fully covered. | |||||||
TrustInSoft Analyzer |
| alloca_bounds | Exhaustively verified. |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as ARR32-CPP. Ensure size arguments for variable length arrays are in a valid range.
References
Wiki Markup |
---|
\[[Griffiths 06|AA. C References#Griffiths 06]\]
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XYX Boundary Beginning Violation" and "XYZ Unchecked Array Indexing" |
Related Guidelines
Key here (explains table format and definitions)
Taxonomy | Taxonomy item | Relationship |
---|---|---|
CERT C Secure Coding Standard | INT01-C. Use rsize_t or size_t for all integer values representing the size of an object | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TR 24772:2013 | Unchecked Array Indexing [XYZ] | Prior to 2018-01-12: CERT: Unspecified Relationship |
ISO/IEC TS 17961:2013 | Tainted, potentially mutilated, or out-of-domain integer values are used in a restricted sink [taintsink] | Prior to 2018-01-12: CERT: Unspecified Relationship |
CWE 2.11 | CWE-758 | 2017-06-29: CERT: Rule subset of CWE |
CERT-CWE Mapping Notes
Key here for mapping notes
CWE-129 and ARR32-C
Intersection( CWE-188, EXP39-C) = Ø
ARR32-C addresses specifying the size of a variable-length array (VLA). CWE-129 addresses invalid array indices, not array sizes.
CWE-758 and ARR32-C
Independent( INT34-C, INT36-C, MSC37-C, FLP32-C, EXP33-C, EXP30-C, ERR34-C, ARR32-C)
CWE-758 = Union( ARR32-C, list) where list =
- Undefined behavior that results from anything other than too large a VLA dimension.
CWE-119 and ARR32-C
- Intersection( CWE-119, ARR32-C) = Ø
- ARR32-C is not about providing a valid buffer but reading/writing outside it. It is about providing an invalid buffer, or one that exhausts the stack.
Bibliography
...
ARR31-C. Use consistent array notation across all source files 06. Arrays (ARR) ARR33-C. Guarantee that copies are made into storage of sufficient size