SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Many library functions take pointers as arguments. If the pointer passed to a library function does not refer to valid memory, the results are undefined. Typically the program will terminate abnormally when the invalid pointer is dereferenced, but it is possible, and quite common, for an invalid pointer to be dereferenced, and its memory changed, without abnormal termination. Such programs can be very difficult to debug due to the difficulty of determining the pointer's lack of validity.

One source of prevention of invalid pointers would be a function that could take a pointer and indicate if the pointer is 'valid' or not, for some definition of valid. For instance, here is a function that declares any pointer to be valid except NULL.

int invalid(void* ptr) {
  return (ptr == NULL);
}

Some platforms will have platform-specific pointer validation tools.

The following code relies on the _etext address, which is provided by many platforms, including AIX, Linux, QNX, IRIX, and Solaris. It is not POSIX-compliant, nor is it available on Windows.

#include <stdio.h>
#include <stdlib.h>

int invalid(void* p) {
  extern char _etext;
  return (p == NULL) || ((char*) p < &_etext);
}


int global;

int main(void) {
  int local;
  void *p = &local;
  int* q = (int*) malloc(sizeof(int));
  printf("pointer to local var invalid? %d\n", invalid(p));
  p = &global;
  printf("pointer to static var invalid? %d\n", invalid(p));
  p = (void*) main;
  printf("pointer to function invalid? %d\n", invalid(p));

  printf("pointer to heap invalid? %d\n", invalid(q));
  q++;
  printf("pointer to end of allocated heap invalid? %d\n", invalid(q));
  q--;
  free(q);
  printf("pointer to freed heap invalid? %d\n", invalid(q));
  q = NULL;
  printf("null pointer invalid? %d\n", invalid(q));

  return 0;
}

On a Linux platform, this program produces the following output:

pointer to local var invalid? 0
pointer to static var invalid? 0
pointer to function invalid? 1
pointer to heap invalid? 0
pointer to end of allocated heap invalid? 0
pointer to freed heap invalid? 0
null pointer invalid? 1

As you can see, the invalid() function is not perfect; it only identifies NULL pointers and pointers to functions as invalid.

Risk Assessment

A pointer validation library can be used to identify, and thus, prevent the execution of vulnerable code

Failure to clear memory can result in leaked information. Occasionally, it can also lead to buffer overflows when programmers assume, for example, a NULL termination byte is present when it is not.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MEM10-A

low

unlikely

high

P1

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

MEM09-A. Do not assume memory allocation routines initialize memory      08. Memory Management (MEM)      

  • No labels