If a function is reentered during the initialization of a static object inside that function, the behavior of the program is undefined. Please note that this is a different problem is not the same as infinite recursion. For this problem to occur, a function only needs to recurse once.
[[ISO/IEC 14882-2003]] Section 6.7, "Declaration Statement" describes the initialization of static and thread storage duration objects. In the case of static objects, recursive reentry into the initialization of a static storage duration causes undefined behavior and various results can be obtained when using different compilers.
Noncompliant Code Example
This noncompliant code example declares the variable y as a static int. The value of test( x) is assigned to y within the test(int x) function. However, when test(int x) is called with an input which results in reaching the initialization of y more than once, such as the value 12, undefined behavior occurs. Note that this code does not present an infinite recursion and still causes the undefined behavior mentioned.
int test(int x){
x--;
if(x < 0 || x > 10)
{
return 0;
}
else
{
static int y = test(x); //<--undefined behavior occurs here
return y;
}
}
The behavior observed from running this code under various compilers differs.
In gcc3, this code will recurse as if y were a non-static variable.
In gcc4, upon reaching the initialization of y for the second time, the program will terminate with the following message:
terminate called after throwing an instance of '__gnu_cxx::recursive_init' what(): N9__gnu_cxx14recursive_initE Aborted (core dumped)
Compliant Solution (p with Block Scope)
In this compliant solution, p is declared with the same scope as str, preventing p from taking on an indeterminate value outside of this_is_OK().
void this_is_OK(void) {
const char str[] = "Everything OK";
const char *p = str;
/* ... */
}
/* p is inaccessible outside the scope of string str */
Compliant Solution (p with File Scope)
If it is necessary for p to be defined with file scope, it can be set to NULL before str is destroyed. This prevents p from taking on an indeterminate value, although any references to p must check for NULL.
const char *p;
void is_this_OK(void) {
const char str[] = "Everything OK?";
p = str;
/* ... */
p = NULL;
}
Noncompliant Code Example (Return Values)
In this example, the function init_array() incorrectly returns a pointer to a local stack variable.
char *init_array(void) {
char array[10];
/* Initialize array */
return array;
}
Some compilers generate a warning when a pointer to an automatic variable is returned from a function, as in this example. Compile your code at high warning levels and resolve any warnings (see MSC00-CPP. Compile cleanly at high warning levels).
Compliant Solution (Return Values)
Correcting this example depends on the intent of the programmer. If the intent is to modify the value of array and have that modification persist outside of the scope of init_array(), the desired behavior can be achieved by declaring array elsewhere and passing it as an argument to init_array().
void init_array(char array[]) {
/* Initialize array */
return;
}
int main(int argc, char *argv[]) {
char array[10];
init_array(array);
/* ... */
return 0;
}
Risk Assessment
Referencing an object outside of its lifetime can result in an attacker being able to run arbitrary code.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
|---|---|---|---|---|---|
DCL30-CPP |
high |
probable |
high |
P6 |
L2 |
Automated Detection
The LDRA tool suite Version 7.6.0 can detect violations of this rule.
Fortify SCA Version 5.0 can detect violations when an array is declared in a function and then a pointer to that array is returned.
Splint Version 3.1.1 can detect violations of this rule.
Compass/ROSE can detect violations of this rule. It automatically detects returning pointers to local variables. Detecting more general cases, such as examples where static pointers are set to local variables which then go out of scope would be difficult.
The Coverity Prevent RETURN_LOCAL checker finds many instances where a function will return a pointer to a local stack variable. Coverity Prevent cannot discover all violations of this rule, so further verification is necessary.
Klocwork Version 8.0.4.16 can detect violations of this rule with the LOCRET checker.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C Secure Coding Standard as DCL30-C. Declare objects with appropriate storage durations.
References
[[Coverity 07]]
[[ISO/IEC 14882-2003]] Sections 3.7, "Storage duration"; 3.8, "Object Lifetime"
[[Henricson 97]] Rule 5.9, "A function must never return, or in any other way give access to, references or pointers to local variables outside the scope in which they are declared."
[[Lockheed Martin 05]] AV Rule 111, "A function shall not return a pointer or reference to a non-static local object."
[[ISO/IEC PDTR 24772]] "DCM Dangling references to stack frames"
[[MISRA 04]] Rule 8.6
DCL17-CPP. Declare function parameters that are large data structures and are not changed by the function as const references 02. Declarations and Initialization (DCL) DCL31-CPP. Do not define variadic functions