If a function is reentered during the initialization of a static object inside that function, the behavior of the program is undefined. Please note that this is a different problem is not the same as infinite recursion. For this problem to occur, a function only needs to recurse once.
[[ISO/IEC 14882-2003]] Section 6.7, "Declaration Statement" describes the initialization of static and thread storage duration objects. In the case of static objects, recursive reentry into the initialization of a static storage duration causes undefined behavior and various results can be obtained when using different compilers.
Noncompliant Code Example
This noncompliant code example declares the variable y
as a static int. The value of test( x)
is assigned to y
within the test(int x)
function. However, when test(int x)
is called with an input which results in reaching the initialization of y
more than once, such as the value 12, undefined behavior occurs. Note that this code does not present an infinite recursion and still causes the undefined behavior mentioned.
int test(int x){ x--; if(x < 0 || x > 10) { return 0; } else { static int y = test(x); //<--undefined behavior occurs here return y; } }
The behavior observed from running this code under various compilers differs.
In gcc3, this code will recurse as if y
were a non-static variable.
In gcc4, upon reaching the initialization of y
for the second time, the program will terminate with the following message:
terminate called after throwing an instance of '__gnu_cxx::recursive_init' what(): N9__gnu_cxx14recursive_initE Aborted (core dumped)
Compliant Solution
In this compliant solution, y
is declared before being assigned a value. According to [[ISO/IEC 14882-2003]] Section 6.7.4, the initialization of y
will have been completed at the end of the declaration and before the assignment of a value, thus removing the possibility of undefined behavior.
int test(int x){ x--; if(x < 0 || x > 10) { return 0; } else { static int y; y = test(x); return y; } }
Risk Assessment
Recursively reentering a function during the initialization of one of its static objects can result in an attacker being able to cause a crash or denial of service.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
DCL38-CPP |
med |
unlikely |
low |
P8 |
L4 |
Automated Detection
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
References
[[ISO/IEC 14882-2003]] Section 6.7, "Declaration Statement"
DCL37-CPP. Overloaded postfix operators should return const 02. Declarations and Initialization (DCL) 03. Expressions (EXP)