You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 101 Next »

Although common practice has been to use integers and pointers interchangeably in C, pointer-to-integer and integer-to-pointer conversions are implementation-defined

Conversions between integers and pointers can have undesired consequences depending on the implementation. According to the C Standard, subclause 6.3.2.3 [ISO/IEC 9899:2011],

An integer may be converted to any pointer type. Except as previously specified, the result is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.

Any pointer type may be converted to an integer type. Except as previously specified, the result is implementation-defined. If the result cannot be represented in the integer type, the behavior is undefined. The result need not be in the range of values of any integer type.

See also undefined behavior 24 of Annex J.

Do not convert an integer type to a pointer type if the resulting pointer is incorrectly aligned, does not point to an entity of the referenced type, or is a trap representation.

Do not convert a pointer type to an integer type if the result cannot be represented in the integer type.

These issues arise because the mapping functions for converting a pointer to an integer or an integer to a pointer must be consistent with the addressing structure of the execution environment. For example, not all machines have a flat memory model.

Noncompliant Code Example

This example is noncompliant, for example, on an implementation where pointers are 64 bits and unsigned integers are 32 bits because the result of converting the 64-bit ptr cannot be represented in the 32-bit integer type:

void f(void) {
  char *ptr;
  /* ... */
  unsigned int number = (unsigned int)ptr;  /* Violation */
  /* ... */
}

Compliant Solution

Any valid pointer to void can be converted to intptr_t or uintptr_t and back with no change in value (see INT36-EX2). The C Standard guarantees that a pointer to void may be converted to or from a pointer to any object type and and back again and that the result must compare equal to the original pointer. Consequently, converting directly from a char * pointer to a uintptr_t, as in this compliant solution, is allowed on implementations that support the uintptr_t type.

void f(void) {
  char *ptr;
  /* ... */
  uintptr_t number = (uintptr_t)ptr;  
  /* ... */
}

Noncompliant Code Example

In this code example, the pointer ptr is converted to an integer value. The high-order 9 bits of the number are used to hold a flag value, and the result is converted back into a pointer. This example is noncompliant, for example, on an implementation where pointers are 64 bits and unsigned integers are 32 bits because the result of converting the 64-bit ptr cannot be represented in the 32-bit integer type.

char *ptr;
unsigned int flag;
/* ... */
unsigned int number = (unsigned int)ptr;
number = (number & 0x7fffff) | (flag << 23);
ptr = (char *)number;

A similar scheme was used in early versions of Emacs, limiting its portability and preventing the ability to edit files larger than 8MB.

Note that this noncompliant code example also violates EXP11-C. Do not make assumptions regarding the layout of structures with bit-fields.

Compliant Solution

This compliant solution uses a struct to provide storage for both the pointer and the flag value. This solution is portable to machines of different word sizes, both smaller and larger than 32 bits, working even when pointers cannot be represented in any integer type. 

struct ptrflag {
  char *pointer;
  unsigned int flag :9;
} ptrflag;

char *ptr;
unsigned int flag;
/* ... */
ptrflag.pointer = ptr;
ptrflag.flag = flag;

Noncompliant Code Example

It is sometimes necessary in low-level kernel or graphics code to access memory at a specific location, requiring a literal integer to pointer conversion. In this noncompliant code, a pointer is set directly to an integer constant, where it is unknown whether the result will be as intended:

unsigned int *g(void) {
  unsigned int *ptr = 0xdeadbeef;
  /* ... */
  return ptr;
} 

The result of this assignment is implementation-defined, might not be correctly aligned, might not point to an entity of the referenced type, and might be a trap representation.

Compliant Solution

Adding an explicit cast may help the compiler convert the integer value into a valid pointer. A common technique is to assign the integer to a volatile-qualified object of type intptr_t or uintptr_t and then assign the integer value to the pointer:

unsigned int *g(void) {
  volatile uintptr_t iptr = 0xdeadbeef;
  unsigned int *ptr = (unsigned int *)iptr;
  /* ... */
  return ptr;
}

The volatile qualifier typically prevents the compiler from diagnosing the assignment of an integer to a pointer.

Exceptions

INT36-EX1: A null pointer can be converted to an integer; it takes on the value 0. Likewise, a 0 integer can be converted to a pointer; it becomes the null pointer.

INT36-EX2: Any valid pointer to void can be converted to intptr_t or uintptr_t and back with no change in value. This exception includes the underlying types if intptr_t and uintptr_t are typedefs, and any typedefs that denote the same types as intptr_t and uintptr_t.

void h(void) {
  intptr_t i = (intptr_t)(void *)&i;
  uintptr_t j = (uintptr_t)(void *)&j;
 
  void *ip = (void *)i;
  void *jp = (void *)j;
 
  assert(ip == &i);
  assert(jp == &j);
}

Risk Assessment

Converting from pointer to integer or vice versa results in unportable code and may create unexpected pointers to invalid memory locations.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT36-C

Low

Probable

High

P2

L3

Automated Detection

Tool

Version

Checker

Description

Compass/ROSE   
Coverity6.5POINTER_CONVERSION_LOSES_BITSFully Implemented

LDRA tool suite

9.7.1

94 S

Fully implemented
PRQA QA-C
Unable to render {include} The included page could not be found.
0309 (U)Partially implemented

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding StandardINT11-CPP. Take care when converting from pointer to integer or integer to pointer
ISO/IEC TR 24772:2013Pointer Casting and Pointer Type Changes [HFC]
ISO/IEC TS 17961Converting a pointer to integer or integer to pointer [intptrconv]
MITRE CWECWE-466, Return of pointer value outside of expected range
CWE-587, Assignment of a fixed address to a pointer

Bibliography

[ISO/IEC 9899:2011]Subclause 6.3.2.3, "Pointers"

 


  • No labels