The size of a structure is not always equal to the sum of the sizes of its members. According to Section 6.7.2.1 of the C99 standard, "There may be unnamed padding within a structure object, but not at its beginning" [[ISO/IEC 9899-1999]].
This is often referred to as structure padding. Structure members are arranged in memory as they are declared in the program text. Padding may be added to the structure to ensure the structure is properly aligned in memory. Structure padding allows for faster member access on many architectures.
Rearranging the fields in a struct
can change the size of the struct
. It is possible to minimize padding anomalies if the fields are arranged in such a way that fields of the same size are grouped together.
Padding is also referred to as "struct
member alignment." Many compilers provide a flag that controls how the members of a structure are packed into memory. Modifying this flag may cause the size of the structures to vary. Most compilers also include a keyword that removes all padding; the resulting structures are referred to as packed structures. Overriding the default behavior is often unwise because it leads to interface compatibility problems (the nominally same struct
has its layout interpreted differently in different modules).
Non-Compliant Code Example
This non-compliant code example assumes that the size of struct buffer
is equal to the size of its individual components, which may not be the case [[Dowd 06]]. The size of struct buffer
may actually be larger due to structure padding.
struct buffer { size_t size; char bufferC[50]; }; /* ... */ void func(const struct buffer *buf) { /* Assumes sizeof( struct buffer) = sizeof( size_t) + 50 * sizeof( char) = 54 */ struct buffer *buf_cpy = (struct buffer *)malloc(54); if (buf_cpy == NULL) { /* Handle malloc() error */ } /* * with padding, sizeof(struct buffer) may be greater than 54, causing * some data to be written outside the bounds of the memory allocated */ memcpy(buf_cpy, buf, sizeof(struct buffer)); /* ... */ free(buf_cpy); }
Compliant Solution
Accounting for structure padding prevents these types of errors.
enum {buffer_size = 50}; struct buffer { size_t size; char bufferC[buffer_size]; }; /* ... */ void func(const struct buffer *buf) { struct buffer *buf_cpy = (struct buffer *)malloc(sizeof(struct buffer)); if (buf_cpy == NULL) { /* Handle malloc() error */ } /* ... */ memcpy(buf_cpy, buf, sizeof(struct buffer)); /* ... */ free(buf_cpy); }
Risk Assessment
Failure to correctly determine the size of a structure can lead to subtle logic errors and incorrect calculations.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
EXP03-A |
2 (medium) |
1 (unlikely) |
1 (high) |
P2 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[Dowd 06]] Chapter 6, "C Language Issues" (Structure Padding 284-287)
[[ISO/IEC 9899-1999]] Section 6.7.2.1, "Structure and union specifiers"
[[Sloss 04]] Section 5.7, "Structure Arrangement"
EXP02-A. The second operands of the logical AND and OR operators should not contain side effects 03. Expressions (EXP) EXP04-A. Do not perform byte-by-byte comparisons between structures