Variable length arrays (VLA) are essentially the same as traditional C arrays, the major difference being they are declared with a size that is not a constant integer expression. A variable length array can be declared as follows:
char vla[s];
The above statement is evaluated at runtime, allocating storage for s
characters in stack memory. If a size argument supplied to VLAs is not a positive integer value of reasonable size, then the program may behave in an unexpected way. An attacker may be able to leverage this behavior to overwrite critical program data [Griffiths 06]. The programmer must ensure that size arguments to VLAs are valid and have not been corrupted as the result of an exceptional integer condition.
Non-Compliant Code Example
In this example, a VLA of size s
is declared. In accordance with recommendation INT01-A. Use size_t for all integer values representing the size of an object, s
is of type size_t
, as it is used to specify the size of an object. However, it is unclear whether the value of s
is a valid size argument. Depending on how VLAs are implemented, s
may be interpreted as a negative value or a very large positive value. In either case, this may result in a security vulnerability.
void func(size_t s) { int vla[s]; /* ... */ } /* ... */ func(size); /* ... */
Compliant Code Solution
Validate size arguments used in VLA declarations. The solution below ensures the size argument, s
, used to allocate vla
is in a valid range: 1 to a user defined constant.
#define MAX_ARRAY 1024 void func(size_t s) { int vla[s]; /* ... */ } /* ... */ if (s < MAX_ARRAY && s != 0) { func(s); } else { /* Handle Error */ } /* ... */
Implementation Details
Variable length arrays are not supported by Microsoft compilers.
Risk Assessment
Failure to properly specify the size of a variable length array may allow arbitrary code execution.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
ARR32-C |
3 (high) |
1 (unlikely) |
1 (high) |
P3 |
L3 |
Examples of vulnerabilities resulting from the violation of this rule can be found on the CERT website.
References
[[Griffiths 06]]