Flexible array members are a special type of array where the last element of a structure with more than one named member has an incomplete array type; that is, the size of the array is not specified explicitly within the structure. This "struct hack" was widely used in practice and supported by a variety of compilers. Consequently, a variety of different syntaxes have been used for declaring flexible array members. For C99-compliant implementations, use the syntax guaranteed valid by C99 [[ISO/IEC 9899:1999]]. Section 6.7.2.1, paragraph 16: "Structure and Union Specifiers", says:
In particular, the size of the structure is as if the flexible array member were omitted except that it may have more trailing padding than the omission would imply.
Noncompliant Code Example
Prior to the introduction of flexible array members in the C99 standard, structures with a one element array as the final member were used to achieve similar functionality. This noncompliant code example illustrates how struct flexArrayStruct
is declared in this case.
This noncompliant code attempts to allocated a flexible array member with a one element array as the final member. When the structure is instantiated, the size computed for malloc()
is modified to account for the actual size of the dynamic array.
struct flexArrayStruct { int num; int data[1]; }; /* ... */ size_t array_size; size_t i; /* initialize array_size */ /* space is allocated for the struct */ struct flexArrayStruct *structP = (struct flexArrayStruct *) malloc(sizeof(struct flexArrayStruct) + sizeof(int) * (array_size - 1)); if (structP == NULL) { /* Handle malloc failure */ } structP->num = 0; /* access data[] as if it had been allocated * as data[array_size] */ for (i = 0; i < array_size; i++) { structP->data[i] = 1; }
The problem with using this approach is that the behavior is undefined when accessing other than the first element of data (see Section 6.5.6, Paragraph 8 of the C99 standard). Consequently, the compiler can generate code that does not return the expected value when accessing the second element of data.
This approach may be the only alternative for compilers that do not yet implement the C99 syntax. Microsoft Visual Studio 2005 does not implement the C99 syntax.
Compliant Solution
This compliant solution uses the flexible array member to achieve a dynamically sized structure.
struct flexArrayStruct{ int num; int data[]; }; /* ... */ size_t array_size; size_t i; /* Initialize array_size */ /* Space is allocated for the struct */ struct flexArrayStruct *structP = (struct flexArrayStruct *) malloc(sizeof(struct flexArrayStruct) + sizeof(int) * array_size); if (structP == NULL) { /* Handle malloc failure */ } structP->num = 0; /* Access data[] as if it had been allocated * as data[array_size] */ for (i = 0; i < array_size; i++) { structP->data[i] = 1; }
This compliant solution allows the structure to be treated as if it had declared the member data[]
to be data[array_size]
in a manner that conforms to the C99 standard.
However, some restrictions apply:
- The incomplete array type must be the last element within the structure.
- There cannot be an array of structures that contain flexible array members.
- Structures that contain a flexible array member cannot be used as a member in the middle of another structure.
- The
sizeof
operator cannot be applied to a flexible array.
Risk Assessment
Failing to use the correct syntax can result in undefined behavior, although the incorrect syntax will work on most implementations.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
MEM33-C |
low |
unlikely |
low |
P3 |
L3 |
Automated Detection
Compass/ROSE can detect some violations of this rule. In particular, it warns if the last element of a struct
is an array with a small index (0 or 1).
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[ISO/IEC 9899:1999]] Section 6.7.2.1, "Structure and union specifiers"
[[McCluskey 01]] ;login:, July 2001, Volume 26, Number 4
MEM32-C. Detect and handle memory allocation errors 08. Memory Management (MEM)