SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 31 Next »

All integer values originating from untrusted sources should be evaluated to determine whether there are identifiable upper and lower bounds. If so, these limits should be enforced by the interface. Anything that can be done to limit the input of excessively large or small integers should help prevent overflow and other type range errors. Furthermore, it is easier to find and correct input problems than it is to trace internal errors back to faulty inputs.

Non-Compliant Code example

In the following non-compliant code example, size is a user supplied parameter used determine the size of table.

int create_table(size_t size) {
  char **table;

  if (sizeof(char *) > SIZE_MAX/size) {
   /* handle overflow */
  }

  size_t table_size = size * sizeof(char *);
  table = malloc(table_size)
  if (table == NULL) {
    /* Handle error condition */
  }
  /* ... */
  return 0;
}

However, since size can be controlled by the user, it could be specified to be either large enough to consume large amounts of system resources and still succeed or large enough to cause the call to malloc() to fail, which, depending on how error handling is implemented, may result in a denial of service condition.

Compliant Solution

This compliant solution defines an acceptable range for table size as 1 to MAX_TABLE_SIZE. The size parameter is typed as size_t and is unsigned by definition. Consequently, it is not necessary to check size for negative values (see INT01-A. Use size_t for all integer values representing the size of an object).

enum { MAX_TABLE_SIZE = 256 };

int create_table(size_t size) {
  char **table;

  if (size == 0 || size > MAX_TABLE_SIZE) {
    /* Handle invalid size */
  }

  /* 
   * The wrap check has been omitted based on the assumption that
   * MAX_TABLE_SIZE * sizeof(char *) cannot exceed SIZE_MAX 
   * If this assumption is not valid, a check must be added
   */

  size_t table_size = size * sizeof(char *);

  table = malloc(table_size);
  if (table == NULL) {
    /* Handle error condition */
  }
  /* ... */
  return 0;
}

Risk Assessment

Failing to enforce the limits on integer values can result in a denial of service condition.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

INT04-A

1 (low)

2 (probable)

1 (high)

P2

L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

[[Seacord 05]] Chapter 5, "Integer Security"

  • No labels