Floating-point numbers can take on two classes of exceptional values; infinity and NaN (not-a-number). These values are returned as the result of exceptional or otherwise unresolvable floating point operations. (See also: FLP32-C. Prevent or detect domain and range errors in math functions). Additionally, they can be directly input by a user by scanf or similar functions. Failure to detect and handle such values can result in undefined behavior.
NaN values are particularly problematic, as the expression NaN==NaN (for every possible value of NaN) returns false. Any comparisons made with NaN as one of the arguments returns false, and all arithmetic functions on NaNs simply propagate them through the code. Hence, a NaN entered in one location in the code and not properly handled could potentially cause problems in other, more distant sections.
Formatted-input functions such as scanf will accept the values INF, INFINITY, or NAN (not case sensitive) as valid inputs for the %f format specification, allowing malicious users to feed them directly to a program. Programs should therefore check to ensure that all input floating point values (especially those controlled by the user) do not have either of these values if doing so would be inappropriate. The <math.h> library provides two macros for this purpose: isinf and isnan.
isinf and isnan
The isinf macro tests an input floating point value for infinity. isinf(\x) returns 1 if x is infinity, -1 if x is negative infinity, and 0 otherwise.
isnan tests if an input is NaN. isnan(\x) is 1 if x is NaN, and 0 otherwise.
If infinity or NaN values are not acceptable inputs in a program, these macros should be used to ensure they are not passed to vulnerable functions.
Implementation Details
If an out of range float is entered into a formatted input function, it is automatically converted by the function into infinity if it is greater than FLOAT_MAX, or to negative infinity if it is less than FLOAT_MIN. Thus users can still force a float to be infinity, even if their input strings are tested for the "inf" or "infinity" pattern. The exact values of FLOAT_MIN and FLOAT_MAX are implementation specific.
For example, if FLOAT_MAX is 1e99, then passing the string "1e9999" to scanf("%f", &x) will result in x having the value infinity.
Therefore, any floating-point input should be tested for infinity or nan, even if the text strings are filtered.
Noncompliant Code Example
The following noncompliant code accepts user data without first validating it.
double currentBalance; /* User's cash balance */
void doDeposit(){
double val;
scanf("%g", &val);
if(val>=MAX_VALUE-currentBalance) {
/*Handle range error*/
}
currentBalance+=val;
}
This can be a problem if an invalid value is entered for val and subsequently used for calculations or as control values. The user could, for example, input the strings "INF", "INFINITY", or "NAN" (case insensitive) on the command line, which would be parsed by scanf into the floating-point representations of infinity and NaN. All subsequent calculations using these values would be invalid, possibly crashing the program and enabling a DOS attack.
Here, for example, entering "nan" for val would force currentBalance to also equal "nan", corrupting its value. If this value is used elsewhere for calculations, every resulting value would also be NaN, possibly destroying important data.
Compliant Code Example
The following code first validates the input float before using it. The value is tested to ensure that it is neither infinity nor negative infinity nor NaN.
double currentBalance; /* User's cash balance */
void doDeposit(){
double val;
scanf("%g", &val);
int k=isinf(x);
if (k==1){
/* handle infinity error */
}
if (k==-1){
/* handle negative infinity error */
}
if(isnan(val)) /* test NaN */
{
/* handle NaN error */
}
if(val>=MAX_VALUE-currentBalance) {
/*Handle range error*/
}
currentBalance+=val;
}
Exceptions
Occasionally, NaN or infinity may be acceptable or expected inputs to a program. If this is the case, then explicit checks may not be necessary. Such programs must, however, be prepared to handle these inputs gracefully and not blindly use them in mathematical expressions where they are not appropriate.
Risk Assessment
Inappropriate floating point inputs can result in invalid calculations and unexpected results, possibly leading to crashing and providing a DOS opportunity.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
FLP04-C. |
low |
probable |
high |
P6 |
L2 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[IEEE 754]]
[[ISO/IEC 9899:1999]]
[[IEEE 1003.1, 2004]]