...
Note that the maximum amount of allocatable memory is typically limited to a value less than SIZE_MAX
(the maximum value of size_t
). Always check the return value from a call to any memory allocation function in compliance with void MEM32ERR33-C. Detect and handle memory allocation standard library errors.
Risk Assessment
Unsigned integer wrapping in memory allocation functions can lead to buffer overflows that can be exploited by an attacker to execute arbitrary code with the permissions of the vulnerable process. Most implementations of calloc()
now check to make sure silent wrapping does not occur, but it is not always safe to assume the version of calloc()
being used is secure, particularly when using dynamically linked libraries.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MEM07-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported, but no explicit checker | |||||||
CodeSonar |
| ALLOC.SIZE.MULOFLOW | Multiplication overflow of allocation size | ||||||
Compass/ROSE |
Parasoft C/C++test |
| CERT_C-MEM07-a | The validity of values passed to library functions shall be checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
SEI CERT C++ Coding Standard | VOID MEM07-CPP. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t |
MITRE CWE | CWE-190, Integer overflow (wrap or wraparound) CWE-128, Wrap-around error |
Bibliography
[RUS-CERT] | Advisory 2002-08:02, "Flaw in calloc and Similar Routines" |
[Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
[Secunia] | Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability" |
...
...