The calloc() function takes two arguments: the number of elements to allocate and the storage size of those elements. Typically, calloc() multiples implementations multiply these arguments together, and uses the result to specify the amount of to determine how much memory to allocate. However, if Historically, some implementations failed to check whether out-of-bounds results silently wrapped [RUS-CERT Advisory 2002-08:02]. If the result of multiplying the number of elements to allocate and the storage size cannot be represented properly by an unsigned int, an integer overflow will occur. Therefore wraps, less memory is allocated than was requested. As a result, it is necessary to check the product of the arguments to calloc() for an integer overflow. If an overflow occurs, the program should detect and handle it appropriately.
Non-compliant Code Example 1
ensure that these arguments, when multiplied, do not wrap.
Modern implementations of the C standard library should check for wrap. If the calloc() function implemented by the libraries used for a particular implementation properly handles unsigned integer wrapping (in conformance with INT30-C. Ensure that unsigned integer operations do not wrap) when multiplying the number of elements to allocate and the storage size, that is sufficient to comply with this recommendation and no further action is required.
Noncompliant Code Example
In this noncompliant example, the user-In this example, the user defined function get_size() (not shown) is used to calculate the size requirements for a dynamic array of unsigned long long integers and stored in long int that is assigned to the variable num_elements. When calloc() is called to allocate the buffer, num_elements will be is multiplied with the by sizeof(unsigned long long) to compute the overall size requirements. If the value returned by get_size() is too large to be multiplied by sizeof(unsigned long long) and properly stored in an intermediate location within calloc()number of elements multiplied by the size cannot be represented as a size_t, then calloc() may allocate a buffer of insufficient size. When data is copied to that buffer, a buffer an overflow may occur.
| Code Block | ||||
|---|---|---|---|---|
| ||||
size_t num_elements = get_size();; long *buffer = (long *)calloc(num_elements, sizeof(long)); if (buffer == NULL) { /* Handle error condition */ } /* ... */ free(buffer); buffer = NULL; |
Compliant Solution
...
To correct In this compliant solution, a test is performed on the product of the two arguments num_elements and sizeof(long) post are checked before the call to calloc(). The test reproduces the multiplication performed by calloc() and evaluates the product to determine if an overflow occured. The comparison checks the product against the system defined limit on a size_t data type ISO/IEC 9899 shifted left by one against the product of num_elements and sizeof(long). if the product's highest bit is set, then it is assumed that an arithmetic overflow has occured. Although this limits the amount of memory that can be allocated, it is important to note that typically, the maximum amount of allocatable memory is limited to a value less than SIZE_MAX. to determine if wrapping will occur:
| Code Block | ||||
|---|---|---|---|---|
| ||||
long *buffer;
size_t num_elements;
if (num_elements > SIZE_MAX/sizeof(long)) {
/* Handle error condition */
}
buffer = (long *) | ||||
| Code Block | ||||
size_t num_elements = calc_size(); long *buffer = calloc(num_elements, sizeof(long)); if ((num_elements*sizeof(long)) >= (SIZE_MAX>>1))buffer == NULL) { /* Handle error condition */ } |
References
...
Note that the maximum amount of allocatable memory is typically limited to a value less than SIZE_MAX (the maximum value of size_t). Always check the return value from a call to any memory allocation function in compliance with ERR33-C. Detect and handle standard library errors.
Risk Assessment
Unsigned integer wrapping in memory allocation functions can lead to buffer overflows that can be exploited by an attacker to execute arbitrary code with the permissions of the vulnerable process. Most implementations of calloc() now check to make sure silent wrapping does not occur, but it is not always safe to assume the version of calloc() being used is secure, particularly when using dynamically linked libraries.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
MEM07-C | High | Unlikely | Medium | P6 | L2 |
Automated Detection
Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported, but no explicit checker | |||||||
| CodeSonar |
| ALLOC.SIZE.MULOFLOW | Multiplication overflow of allocation size | ||||||
| Compass/ROSE | |||||||||
| Parasoft C/C++test |
| CERT_C-MEM07-a | The validity of values passed to library functions shall be checked |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
| SEI CERT C++ Coding Standard | VOID MEM07-CPP. Ensure that the arguments to calloc(), when multiplied, can be represented as a size_t |
| MITRE CWE | CWE-190, Integer overflow (wrap or wraparound) CWE-128, Wrap-around error |
Bibliography
| [RUS-CERT] | Advisory 2002-08:02, "Flaw in calloc and Similar Routines" |
| [Seacord 2013] | Chapter 4, "Dynamic Memory Management" |
| [Secunia] | Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability" |
...
http://cert.uni-stuttgart.de/advisories/calloc.php
Secunia Advisory SA10635, http://secunia.com/advisories/10635/
ISO/IEC 9899, 7.18.3 Limits of other integer types