The three types char
, signed char
, and unsigned char
are collectively called the character types. Compilers have the latitude to define char
to have the same range, representation, and behavior as either signed char
or unsigned char
. Irrespective of the choice made, char
is a separate type from the other two and is not compatible with either.
Non-Compliant Code Example
This non-compliant code example is taken from an actual vulnerability in bash versions 1.14.6 and earlier that resulted in the release of CERT Advisory CA-1996-22. This vulnerability resulted from the declaration of the string
variable in the yy_string_get()
function as char *
in the parse.y
module of the bash source code:
static int yy_string_get() { register char *string; register int c; string = bash_input.location.string; c = EOF; /* If the string doesn't exist, or is empty, EOF found. */ if (string && *string) { c = *string++; bash_input.location.string = string; } return (c); }
The string variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type int
. For compilers in which the char
type defaults to signed char
, this value is sign-extended when assigned to the int
variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value -1 being assigned to the integer which is indistinguishable from the EOF
integer constant expression.
Compliant Solution
This problem is easily repaired by explicitly declaring the string
variable as unsigned char
.
static int yy_string_get() { register unsigned char *string; register int c; string = bash_input.location.string; c = EOF; /* If the string doesn't exist, or is empty, EOF found. */ if (string && *string) { c = *string++; bash_input.location.string = string; } return (c); }
Risk Assessment
This is a subtle error that results in a disturbingly broad range of potentially severe vulnerabilitiles.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
INT07-A |
2 (medium) |
2 (probable) |
2 (medium) |
P8 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899-1999]] Section 6.2.5, "Types"